[vox-tech] Securing SSH

[Bill Broadley]

I consider most of these steps pretty paranoid, since ssh is pretty
secure in the first place (at least the current version anyways).

Besides the things mentioned by other people:
	Do you have physical security?
	BIOS and GRUB/LILO passwords might help the casual physical attack
	Have only the required ports open, use nmap to verify (locally and
        remotely).
	You are fully patched right?
	All non-used user accounts closed
	All open accounts have NULL passwords (use ssh-keys for access)
	Do you have backups?
	Are they secure as well.
	Do you need encrypted swap?
	Encrypted FS?

On Fri, Aug 01, 2003 at 11:50:41AM -0700, Daniel Hurt wrote:
> 
> I know the title is kind of redundant, but I was curious if there is 
> anything beyond these couple of steps that I have taken to secure ssh?
> 
> First I have edited the /etc/securetty to contain only these entries:
> tty1
> tty2
> tty3
> tty4
> tty5
> tty6
> 
> This is to allow root to login from the local console only.  I have also 
> edited the sshd_conf file to disallow root logins.  This box is sitting 
> behind a router that only has port 22 forwarded to this machine and I have 
> setup the router so that it does not respond to ping request from the 
> outside world.  The final thing, I could think of is to set hosts.allow to 
> the certain IP’s that I might connect from, but I would like to connect 
> from anywhere to this machine.  Is there anything else that I might 
> consider to help keep the machine secure?
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

-- 
Bill Broadley
Mathematics
UC Davis