On Thu, May 15, 2008 at 9:47 AM, Bob King <[EMAIL PROTECTED]> wrote: > > Many distros come with ssh installed by default, and often with root access > allowed by default. I always thought that disabling root access via ssh is a > good idea, but reading this I would assume it would be a good idea to just > deactivate password access via ssh all together and limit access to systems > with keys known to the host. Moving the sshd to a non-standard port would be > another move, but would that stop more than the most basic tools? > > I would be interested in hearing recommendations from other folks on the > list. >
Low hanging fruit: Non standard port Use AllowedUsers - only allow specific users DenyUsers - disable all system account RootLogin - disallowed Run denyhosts or some other black listing app. reboot your sshd periodically to timeout connections Disable ping Harder: No passwords allowed - must have keys Allow only specific IPs in Run in a chroot - you need to ssh tunnel out of it to another port Setup something like dial back port knocking Eliminate every ssh feature you don't need - config or coding Add another layer of authentication OTP (one time passwords) - There are ways to to this with a preprinted list SecureID or something similar Run a different codebase - not OpenSSH, but lssh, SSH Inc, dropbear, etc
_______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/