[kwlug-disc] Tightening up SSH
John Van Ostrand
john at netdirect.ca
Mon Jul 19 10:22:16 EDT 2010
----- Original Message -----
> The single most effective thing you can do to prevent these types of
> attacks is run ssh on a non standard port.
>
> This will stop these automated scans right away.
But since everyone is changing it to 2022, 2222, 222, 1022 or something like that it's only a simple level of obfuscation that could easily be defeated.
Do it right: refuse root SSH login, restrict login to a small subset of user ids. If you need to support passwords for dumb users, make sure they are complex passwords and restrict their use to just those logins. But try to go to key-based authentication. It's actually easier for admins. Use complex root passwords in case it accidentally gets re-configed and use sudo to avoid needing to know the complex password. And to avoid lots of log messages you can change the port.
Trust me, once you go to keys for admin you won't go back it's way easier since you wont have to type in a password every time. If you travel a lot put the keys on a USB key, strongly password encrypted of course.
--
John Van Ostrand
CTO, co-CEO
Net Direct Inc.
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6
Ph: 866-883-1172 x5102
Fx: 519-883-8533
Linux Solutions / IBM Hardware
More information about the kwlug-disc
mailing list