[vox-tech] Securing SSH

Daniel Hurt vox-tech@lists.lugod.org
Mon, 4 Aug 2003 22:22:06 -0700 (PDT) 

Thanks for the great suggestions.  Thanks Peter for the good article.  It 
was well laid out and easy to follow.

I will have to look into the rest of the suggestions more.

Thanks,

Dan

> I consider most of these steps pretty paranoid, since ssh is pretty
> secure in the first place (at least the current version anyways).
> 
> Besides the things mentioned by other people:
> 	Do you have physical security?
> 	BIOS and GRUB/LILO passwords might help the casual physical attack
> 	Have only the required ports open, use nmap to verify (locally and
>         remotely).
> 	You are fully patched right?
> 	All non-used user accounts closed
> 	All open accounts have NULL passwords (use ssh-keys for access)
> 	Do you have backups?
> 	Are they secure as well.
> 	Do you need encrypted swap?
> 	Encrypted FS?
> 
> On Fri, Aug 01, 2003 at 11:50:41AM -0700, Daniel Hurt wrote:
> > 
> > I know the title is kind of redundant, but I was curious if there is 
> > anything beyond these couple of steps that I have taken to secure ssh?
> > 
> > First I have edited the /etc/securetty to contain only these entries:
> > tty1
> > tty2
> > tty3
> > tty4
> > tty5
> > tty6
> > 
> > This is to allow root to login from the local console only.  I have 
also 
> > edited the sshd_conf file to disallow root logins.  This box is 
sitting 
> > behind a router that only has port 22 forwarded to this machine and I 
have 
> > setup the router so that it does not respond to ping request from the 
> > outside world.  The final thing, I could think of is to set 
hosts.allow to 
> > the certain IP’s that I might connect from, but I would like to 
connect 
> > from anywhere to this machine.  Is there anything else that I might 
> > consider to help keep the machine secure?
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> 
> -- 
> Bill Broadley
> Mathematics
> UC Davis
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>