locking down ssj

Ian Malone ibmalone at gmail.com
Fri Dec 16 08:17:40 UTC 2011 

On 15 December 2011 16:34, Jake Shipton <jakems at fedoraproject.org> wrote:
> On 15/12/11 15:23, Robert Moskowitz wrote:
>> I will provide a disclaimer up front that I work in the security field,
>> but I design security protocols (e.g. co-chaired IPsec, author of HIP,
>> contributor to 802.11i) and OS security I learn from osmosis from my
>> colleagues.
> I myself am not working within the security field. I am simply passing
> on advise from what I have learned over the years :-) (Well part of it)

>> On 12/15/2011 08:08 AM, Jake Shipton wrote:

>>>>      "Joe Zeff"<joe at zeff.us>

>> For a good analysis of the problem with passwords see:
>>
>> http://www.cryptosmith.com/password-sanity
>>
>> Richard has a very good book on Authentication that I once taught a
>> class from...
>>

> I only have open what I need, and I usually forward local ports to ones
> needed. For example my SSH (not actual ports)
>
> I would have say, port 1000 locally forwarded via firewall to port 22,
> but still blocking 22. So an attempt to go straight to 22 will not work,
> however port 1000 would take them to port 22 (and good luck to them when
> they get there.....)
>
> PS: I don't actually use port 1000, I use another. I would change port
> 22 directly via sshd_config but every time I did SSH broke in some way
> or another, so I just forwarded it instead haha :-).
>>

>>> For example, you said you have no idea what SSH is, if I remember
>>> correctly this is enabled by default.
>>
>> Yes it is.  Sitting on port 22 and EVERY script kiddie out there knows
>> that and 'knocks' with common userids and passwords.  If you really need
>> the SSH server, at least move it to another port and/or implement
>> shorewall with port knocking defense on ssh (well documented in
>> shorewall docs).  Just the number of entries in logwatch if you have it
>> up and on port 22 is annoying and part of the reason I have moved it to
>> a different port.
> Oh most definitely, and if your serious about using SSH and you need it,
> make sure you disable root login, that will be the account script
> kiddies will be after, and if it's disabled, it won't work, and they
> will need to guess your user-name aswell.
>
> I would never recommend leaving port 22 open in the wild either.
>

Require key authentication for ssh, that way the only brute force
that's halfway sensible will be on your key file, and will be
different from your system password.

-- 
imalone

More information about the users mailing list