November 2007
Beginner
642 pages
15h 43m
English
Content preview from Linux Networking CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
7.7. Hardening OpenSSH
Problem
You are concerned about security threats, both from the inside and the outside. You are concerned about brute-force attacks on the root account, and you want to restrict users to prevent mischief, whether accidental or deliberate. What can do you to make sure OpenSSH is as hardened as it can be?
Solution
OpenSSH is pretty tight out of the box. There are some refinements you can make; take a look at the following steps and tweak to suit your needs. First, fine-tune /etc/sshd_config with these restrictive directives:
ListenAddress 12.34.56.78 PermitRootLogin no Protocol 2 AllowUsers carla foober@bumble.com lori meflin AllowGroups admins
You may want the SSH daemon to listen on a different port:
Port 2222
Or, you can configure OpenSSH to disallow password logins, and require all users to have identity keys with this line in /etc/sshd_config:
PasswordAuthentication no
Finally, configure iptables to filter traffic, blocking all but authorized bits (see Chapter 3).
Discussion
Specifying the interfaces that the SSH daemon is to listen to and denying root logins, are basic, obvious precautions.
Protocol 2 means your server
will only allow SSH-2 logins, and will reject SSH-1. SSH-1 is old enough, and has enough weaknesses,
that it really isn't worth the risk of using it. SSH-2 has been around
for several years, so there is no reason to continue using the SSH-1
protocol.
AllowUsers denies logins to all but the listed users. You may use just the login names, or restrict ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.