Dave,
For #2 below, would you mean an ACL on the Vyatta box or an upstream firewall rule? I would like to setup a rule which only permits SSH to the router from a specified IP range as I don't have the option of an upstream firewall. Thanks, Juan Aguilar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Roberts Sent: Thursday, October 11, 2007 2:01 PM To: 'Daren Tay'; vyatta-users@mailman.vyatta.com Subject: Re: [Vyatta-users] Prevent root ssh login, but allow shell access? If the box is publicly accessible, there is no way to prevent users from trying to login to it. There are bots that try a whole bunch of default passwords on every publicly accessible box they can find. The ssh daemon will dutifully log all access attempts. My Fedora box at home generates the same sorts of log messages all the time. Your only defenses are to: 1. Remove the box from the Internet. 2. Set up some firewall rules that block access for ssh from the Internet side if you don't want it to be accessible there. 3. Or just make sure you use good passwords for all accounts. In the case of the specific log message you show below, I'd note that the bot is trying an unknown user name (something like "bob") that you don't have on your box. It's probably a default account of some sort for a known exploit. Rule #1 before connecting *anything* to the Internet (whether Vyatta, Red Hat, Debian, or a Windows box)--change *all* the default passwords locally. With Vyatta, this is fairly simple and can be done with just a couple of commands before you even set an IP address for any interface. In fact, I think I did this exact thing in the screen cam demo of Vyatta on the web site (yes, I'm the guy who can't type ;-). -- Dave ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daren Tay Sent: Monday, October 08, 2007 7:38 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] Prevent root ssh login, but allow shell access? Hi guys, I have getting alot of such entries in my log: Oct 7 14:35:12 vyatta sshd[27845]: (pam_unix) check pass; user unknown I think its just some bots trying to login. Anyway to prevent this? Also, currently I allow root login, but I don't feel safe with that option. I can disable that using DenyUser in sshd_config. Yet, I need to have access to bash, since users other than root will go straight to XORPSH. If I try to manually create a user with bash access in the system using useradd, it will get overwrite everytime I make changes to XORPSH. What's the best way about this? Daren
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
