SSH configuration summary (was Re: Rookit infections: AARRGH!)
Tom Buskey
tbuskey at gmail.com
Thu May 26 09:13:00 EDT 2005
If you're running 4.1 (4.0?) Hash the known hosts files. There's a
possible attack vector from that. If you don't use passwordless keys
and don't use ssh-agent I don't think you're vulnerable at all.
UsePrivilegeSeparation yes
Don't forget to create the user and /var/empty
AllowUsers
" This keyword can <...> take the form USER at HOST
then USER and HOST are separately checked, restricting logins to
particular users from particular hosts. "
http://www.openssh.org should have documentation on some of the best
practices & vulnerabilities.
On 5/25/05, Larry Cook <lcook at sybase.com> wrote:
> This thread was very timely, as I wanted to set up my system for
> remote access using SSH. Here is a summary of the advice for a
> secure SSH configuration that I gathered from the thread. I've
> included the specific /etc/ssh/sshd_config file entries:
>
> * Disable SSH v1 protocol, only use SSH v2 protocol
> Protocol 2
>
> * Disable passwords, use DSA keys with passphrase
> PasswordAuthentication no
>
> * Disable root access, use sudo for audit trail
> PermitRootLogin no
>
> * Change SSH port number
> Port 12345
>
> * Only allow trusted IPs
> (I don't see this ability in SSH.)
>
> I've done all but the last one, since I couldn't find a way to
> configure it with SSH. Maybe the intent was to do it with
> iptables.
>
> Is there anything I missed?
>
> Given the above, what are the security risks?
>
> Thanks,
> Larry
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
>
--
The people I distrust most are those who want to improve our lives but
have only one course of action.
- Frank Herbert
More information about the gnhlug-discuss
mailing list