This is a mirror of official site: http://jasper-net.blogspot.com/

Three locks for your SSH door

| Friday, May 20, 2011
Introduction
If you require remote access to your computer and you enable Secure Shell (SSH) connections, you must accept that you will automatically attract hackers who will try to break your defenses and take command of your machine. Although there's no guarantee that your machine won't be "0wn3d" by a "h4x0r," a few simple solutions can help reinforce your SSH door and make life a bit more difficult for anybody trying to break in. This article considers three such techniques:
  • Changing SSH's standard port to an unusual value and reinforcing SSH configuration so that simple-minded attacks just bounce back.
  • Defining a restricted list of users who are allowed to log in.
  • Completely hiding the fact that you even allow SSH access and requiring a special "knock" sequence to be recognized as a possible user.
To apply these techniques, you need to access the root account. Also, you'll probably have to install some packages, and you'll need to configure your firewall and your router—if you have one—to open and close specific ports and forward them to your machine.

Reinforcing the door

The concept "security through obscurity" is well known—and well derided—because doing things in an obscure way, hoping that no one will get wise to your method, is just asking for problems. However, in some contexts, a bit of obscurity can help. Although simple measures cannot stop determined hackers, at least you can be better defended against "script kiddies", whose scripts usually aren't that thorough.
Everybody knows that the standard port for SSH connections is 22. So, the first step you should take to make your machine more secure is simply to change the port to another unused and nonstandard port number—say, 22960. Numbers above 1024 are usually safe, but check the references to avoid possible problems. This change simply means that you have to use this command line to connect to your computer:

ssh -p 22960 your.machine.url

To effect this bit of subterfuge, make a simple change in the /etc/ssh/sshd_config file. Edit it (you must work as root for this), look for the line that reads Port 22, and change the number to whatever you have chosen (If the line is commented out because it starts with a pound sign [#], remember to uncomment it). Save the file, and restart SSH with the command /etc/init.d/sshd restart. You should also open the chosen port in your firewall and close port 22.

But you can do even more. Fiddle with the configuration file so that it includes the lines shown in Listing 1. Note that some of these lines may already exist, but they could be commented out.

Listing 1. Some changes to your SSH configuration file enhance security at little cost

Port 22960 
LoginGraceTime 30 
MaxAuthTries 3 
Protocol 2 
PermitRootLogin no 

Read more: IBM

Posted via email from Jasper-net

0 comments: