Ned Slider wrote:
Chris Boyd wrote:
You can keep compromised accounts from logging in via ssh with the "AllowUsers" option in your /etc/ssh/sshd_config file. Add that option followed by a list of user names that you want to be able to log in, ex:
# Only let Fred Guru and Joe Admin in, block anyone # else even if they have a valid password. AllowUsers fred joe
And you should also set "PermitRootLogin no" while you are in sshd_config.
Be sure to do a "service sshd restart" after you change the file, and do a test login _before_ you log out of your current session. Saves cursing and late night drives to remote servers in case sshd barfs somehow :-)
--Chris
Nice tip - AllowUsers added to the Wiki page on securing SSH:
http://wiki.centos.org/HowTos/Network/SecuringSSH
Thanks!
Ned
I don't have many clients that actually need or use ssh. I control it via hosts.allow and hosts.deny
For instance.
cat hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap!
sshd : ALL
cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. #
sshd : 192.555.555. : allow sshd : 192.555.55.555 : allow sshd : localhost : allow
Of course the IP addresses have been changed to protect the......
In hosts.allow, the first line is an example of opening sshd to any IP address in that class C The second line, an example to specific IP addresses and the third to localhost (and I don't remember why I needed to add that but it was an internal program)
John Hinton