Re: Security basics

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Lamar Owen wrote:
> 
> On Wednesday 03 October 2007, Karl Larsen wrote:
> >     I have sure heard a LOT about security updates and I have had my own
> > problems. For years I thought the only thing necessary was a good root
> > password. This year I found out with ssh around you need a good password
> > for your own login name. My problem was caused by having a super poor
> > login password which was my last name. Since the login name was karl it
> > followed.
> 
> Also: run ssh on some port other than 22.  This is accomplished by 
> editing /etc/ssh/sshd_config and /etc/sysconfig/iptables (to add the port to 
> iptables, assuming you're running iptables).  If you know the IP addresses 
> from which you will always be connecting, then set your firewall (both on any 
> external router as well as in /etc/sysconfig/iptables) to only allow the IP 
> addresses you want.
> 
> Just changing from port 22 to some other port (and 222 or 2222 aren't good 
> ones; anything above 1024 is fair game) will eliminate 90% or more of your 
> risk. 
> 
> Also, set up RSA key security and eliminate password-based logins.  This is a 
> fairly lengthy setup; I'm sure there's a HOWTO in the archives (I'm getting 
> ready to go home for the day, and do't have time to type it in; if you can't 
> find it anywhere, I can write one up fairly quickly, as I've set this up on 
> several boxes).  Some might say to just do this and not worry about the 
> listening port change; I prefer multilayered security (why I run SELinux in 
> enforcing/targete mode on servers) when possible.
> 
> With a nonstandard port you do have to remember to use the -p parameter of ssh 
> to connect (and the -P parameter of scp) but in my opinion it's worth it.

Changing ports for ssh isn't actually that hot of an idea.  Most port scanners
can detect ssh implementations since they normally self-identify.  For example,
if you're running ssh on the normal port (22), try executing:
	/usr/bin/telnet YOUR.HOST.IP.ADDR 22
and see what pops out.

Hope this helps'idly,

-S

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux