l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2003 Aug 05 19:33

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Securing SSH
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Securing SSH



Thanks for the great suggestions.  Thanks Peter for the good article.  It 
was well laid out and easy to follow.

I will have to look into the rest of the suggestions more.

Thanks,

Dan

> I consider most of these steps pretty paranoid, since ssh is pretty
> secure in the first place (at least the current version anyways).
> 
> Besides the things mentioned by other people:
> 	Do you have physical security?
> 	BIOS and GRUB/LILO passwords might help the casual physical attack
> 	Have only the required ports open, use nmap to verify (locally and
>         remotely).
> 	You are fully patched right?
> 	All non-used user accounts closed
> 	All open accounts have NULL passwords (use ssh-keys for access)
> 	Do you have backups?
> 	Are they secure as well.
> 	Do you need encrypted swap?
> 	Encrypted FS?
> 
> On Fri, Aug 01, 2003 at 11:50:41AM -0700, Daniel Hurt wrote:
> > 
> > I know the title is kind of redundant, but I was curious if there is 
> > anything beyond these couple of steps that I have taken to secure ssh?
> > 
> > First I have edited the /etc/securetty to contain only these entries:
> > tty1
> > tty2
> > tty3
> > tty4
> > tty5
> > tty6
> > 
> > This is to allow root to login from the local console only.  I have 
also 
> > edited the sshd_conf file to disallow root logins.  This box is 
sitting 
> > behind a router that only has port 22 forwarded to this machine and I 
have 
> > setup the router so that it does not respond to ping request from the 
> > outside world.  The final thing, I could think of is to set 
hosts.allow to 
> > the certain IPís that I might connect from, but I would like to 
connect 
> > from anywhere to this machine.  Is there anything else that I might 
> > consider to help keep the machine secure?
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> 
> -- 
> Bill Broadley
> Mathematics
> UC Davis
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
> 
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.