Re: Securing SSH

["Jude Naidoo" <jude007 () jnaidoo fsnet co uk>]

Hi Roland

SSH is quite secure in terms of disallowing eve's dropping.

Depending on your version of SSH, you should have a file called'
allowed.hosts' or 'hosts.allowed', or something similar that contains ip
addresses of host that ssh will allow to access the server on port 22.
What you also want to do is disallow root access. Rather create users and
allow them to su to root. It makes it more difficult to guess user names and
passwords if an allowed host is compromised or a malicious user uses an ip
address allowed to connect to your servers. If root access is allowed, half
the job is done. Now all he has to do is guess passwords.

If engineers are dialling in from home, have them go through a locked down
staging server.

Just my 2cents worth..

Jude



----- Original Message ----- 
From: "Roland Venter" <rolandv () xtra co nz>
To: <security-basics () securityfocus com>
Sent: Friday, January 09, 2004 11:53 PM
Subject: Securing SSH


> I need to manage several servers remotely via SSH, I'm interested in ways
to
> secure the connection and prevent unauthorised access.
>
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a
site
> visit to update the rules.
>
> We also need to provide access to engineers working from home using
dialup,
> etc
>
> Some sort of client certificates to supplement username and password,
>
> Recommendations on securing the SSH daemon etc
>
> Any ideas and tips or random thoughts appreciated
>
> Cheers,
> Roland
>
>
>
>
>
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
> course! All of our class sizes are guaranteed to be 10 students or less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> any course!
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------