On 12/18/05, Brian Chabot <[EMAIL PROTECTED]> wrote:
ListenAddress if your users always come from the same IP adresses. Not always doable, but if it is....
Port xxxx # changing to a non standard port
I'm at a site that blocks all outgoing ports except 22 :-( Security by obscurity, but it makes you harder to find then your neighbors.
I've started running something called DenyHosts. If I get N failed logins from an IP address, it gets added to /etc/hosts.deny and my sshd never sees that IP again. It's worth checking out. All automated w/ email alerts, expiration of IPs (or not), number of failures, etc.
Bill McGonigle wrote:
> I sleep better at night knowing my servers have these lines in them:
>
> Protocol 2
> PermitRootLogin no
> IgnoreRhosts yes
> PasswordAuthentication no
> AllowUsers ...
I like to add in:
MaxAuthTries 6
UsePrivilegeSeparation yes
AllowUsers can be a pain if your user bas changes..
ListenAddress if your users always come from the same IP adresses. Not always doable, but if it is....
Port xxxx # changing to a non standard port
I'm at a site that blocks all outgoing ports except 22 :-( Security by obscurity, but it makes you harder to find then your neighbors.
I've started running something called DenyHosts. If I get N failed logins from an IP address, it gets added to /etc/hosts.deny and my sshd never sees that IP again. It's worth checking out. All automated w/ email alerts, expiration of IPs (or not), number of failures, etc.
--
A strong conviction that something must be done is the parent of many bad measures.
- Daniel Webster
