[kwlug-disc] Tightening up SSH

John Van Ostrand john at netdirect.ca
Mon Jul 19 10:22:16 EDT 2010


----- Original Message -----
> The single most effective thing you can do to prevent these types of
> attacks is run ssh on a non standard port.
> 
> This will stop these automated scans right away.

But since everyone is changing it to 2022, 2222, 222, 1022 or something like that it's only a simple level of obfuscation that could easily be defeated.

Do it right: refuse root SSH login, restrict login to a small subset of user ids. If you need to support passwords for dumb users, make sure they are complex passwords and restrict their use to just those logins. But try to go to key-based authentication. It's actually easier for admins. Use complex root passwords in case it accidentally gets re-configed and use sudo to avoid needing to know the complex password. And to avoid lots of log messages you can change the port.

Trust me, once you go to keys for admin you won't go back it's way easier since you wont have to type in a password every time. If you travel a lot put the keys on a USB key, strongly password encrypted of course.

-- 
John Van Ostrand 
CTO, co-CEO 
Net Direct Inc. 
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6 
Ph: 866-883-1172 x5102 
Fx: 519-883-8533 

Linux Solutions / IBM Hardware 




More information about the kwlug-disc_kwlug.org mailing list