On Sat, 2005-01-08 at 23:00 +0000, Paul wrote:
> > 1) Allow rsa key logins only.
> > 2) Restrict by IP address, if possible.
> > 3) Restrict by username if possible.
> > 4) Run sshd on a port other than 22.
> > 5) Use port knocking if you are really paranoid. (Though that hasn't
> > had enough field testing to trust it as the only security measure,
> > for sure.)
>
> Is there a simple to follow howto on all of these?
Not that I know of, but here's some quickies:
1) RSA keys:
On the any clients you want to have access to a particular server,
generate a key pair with 'ssh-keygen -t rsa'. Then copy (via
sneaker.net for the truly paranoid, and then eat the floppy when your
done) your ~/.ssh/id_rsa.pub on the client to your
~/.ssh/authorized_keys on your server (or append, as appropriate). Be
sure to 'chmod 600 ~/.ssh/authorized_keys.
Edit /etc/ssh/sshd_config on your server and set PubkeyAuthentication
to yes and PasswordAuthentication to no. Other things I usually change
are Protocol (2), PermitRootLogin (no), and PermitEMptyPasswords (no).
Restart sshd on the server.
2) IP restrictions:
I thought there was a way to put a list of IPs in
the /etc/ssh/sshd_config file, but I can't find it in the man page
anywhere. Looks like sshd is linked with tcp_wrappers, however, so you
could just use /etc/hosts.{allow,deny} settings to set those
restrictions. Just using iptables is also a possibility.
3) User restrictions:
Change/add AllowUsers setting to /etc/ssh/sshd_config with a list of
allowed users. Related options are DenyUsers, AllowGroups, and
DenyGroups.
4) Port setting:
Change the 'Port' setting in /etc/ssh/sshd_config to something other
than 22. 1022 is a common alternative, which is a good reason to use
something *other* than 1022 :-). Use 'ssh -p<newportnumber> <host>' to
connect to your ssh daemon after this change.
5) Do a google for "Port Knocking" :-) Sorry, that's all I can help
with in that area.
There are other, more paranoid settings you can change
in /etc/ssh/sshd_config, but I wouldn't go overboard. You can make it
truly difficult for legitimate users to use your ssh daemon if you
really want to.
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets