[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardening OpenSSH

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Hardening OpenSSH
From: Paul Pruett <ppruett_(_at_)_webengr_(_dot_)_com>
Date: Fri, 28 Jun 2002 17:44:02 +0000 (GMT)

Watch where sshd_config lives

If you did an upgrade you may be looking at the wrong sshd_config
file, it may now be /etc/ssh/sshd_config instead of /etc/sshd_config
and also note that in user land there may be another site wide
sshd_config file.  "man sshd"

Another possibility if you know the IP addresses
is to limit ssh to those addresses.

You could also do some thing like this in the /etc/pf.conf if using pf
after blocking all then pass only ssh from limited addresses

# pass in ssh TCP connections only from our networks
pass in on $ext_if proto tcp from { 65.35.32.111/32, 10.0.1.0/24} to any port ssh keep state

probably more elegant ways to do it...

On Fri, 28 Jun 2002, OpenBSD-lists wrote:

> Date: Fri, 28 Jun 2002 10:57:12 -0400
> From: OpenBSD-lists <openbsd-lists_(_at_)_encipher_(_dot_)_net>
> To: Mailing Lists <DUBBS-lists_(_at_)_cfl_(_dot_)_rr_(_dot_)_com>, misc_(_at_)_openbsd_(_dot_)_org
> Subject: Re: Hardening OpenSSH
>
> I always turn off PermitRootLogin in the /etc/sshd_config file.
> PermitRootLogin no
>
> Cheers,
>
> John Hines

Prev by Date: need help with 3c905b card on sparc64
Next by Date: dhcp/cable modem
Previous by thread: need help with 3c905b card on sparc64
Next by thread: dhcp/cable modem
Index(es):
- Date
- Thread

Visit your host, monkey.org