[CentOS] Security advice, please

jkinz at kinz.org jkinz at kinz.org
Wed Dec 24 14:30:26 UTC 2008


Top posting to ask a question regarding the article below:

Hi Warren, Nice explanation.  I would like to ask what you
recommend people do if they want to be able to ssh in from 
anywhere on the internet. Say they are going to be traveling and
they know they will have to login from machines they have no
control over, like an internet cafe or a Hotel's business
services suite? 

On Tue, Dec 23, 2008 at 08:38:17AM -0700, Warren Young wrote:
> I agree, though the default CentOS sshd configuration requires some 
> tightening down to trust it on Internet-facing servers, IMHO:
> 
> 1. In /etc/ssh/sshd_config, set "PasswordAuthentication no".  No matter 
> how good your password, it isn't as good as using keys.  Remember, 
> forwarding ssh opens it to pounding 24x7 from any of the millions on 
> zombie boxes on the Internet.
> 
> 2. On the machine(s) that you want to allow logins from, run "ssh-keygen 
> -t rsa" to generate a key pair, if you haven't already.  Then copy the 
> contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home 
> server.  These keys are used to authenticate the remote system, in lieu 
> of a password or physical token.  You could put these keys on a USB 
> stick instead, if you didn't want to keep them permanently on the remote 
> hosts.
> 
> 3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2", 
> not "Protocol 2,1".  SSHv1 has known weaknesses.  Boggles my mind that 
> it's still enabled by default....
> 
> 4. Same file, set "PermitRootLogin no" if it isn't already.
> 
> (Aside: I also like to set up sudo with one account allowed to do 
> anything, then lock the root account, so the only way to get root access 
> is to log in as a regular user then sudo up, reducing the risk of 
> passwordless keys.)
> 
> Having done all this, you're ready to allow remote access:
> 
> 5. In your router, forward a high-numbered port to 22 on the server.  If 
> it's not smart enough to use different port numbers on either side, you 
> can change the sshd configuration so it listens on a different port 
> instead.  I like to use 22022 for this.
> 
> This is *not* security through obscurity.  It's simply a way to reduce 
> the amount of log spam you have to dig through when monitoring your 
> system's behavior.  Everything that appears in your logs should be 
> *interesting*.  Constant port knocking from worms and script kiddies is 
> not interesting.
> 
> In case you've not done ssh tunelling, Anne, the command that does what 
> you want, having done all the above is:
> 
> 	$ ssh -p22022 -L10143:my.server.com:143 anne at my.server.com
> 
> This sets up port 10143 on the local system to be redirected through the 
> ssh session to the IMAP port on your home server.  You don't want to 
> redirect 143 to 143 because that would require you to run ssh as root. 
> It also prevents you from using this on a system that itself has an IMAP 
> server.
> 
> With the tunnel up, you can set up your mail client to connect to port 
> 10143 on localhost, and you'll be looking at your remote mail server.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 


More information about the CentOS mailing list