Ned Slider wrote: > Chris Boyd wrote: > >> You can keep compromised accounts from logging in via ssh with the >> "AllowUsers" option in your /etc/ssh/sshd_config file. Add that >> option followed by a list of user names that you want to be able to >> log in, ex: >> >> # Only let Fred Guru and Joe Admin in, block anyone >> # else even if they have a valid password. >> AllowUsers fred joe >> >> And you should also set "PermitRootLogin no" while you are in >> sshd_config. >> >> Be sure to do a "service sshd restart" after you change the file, and >> do a test login _before_ you log out of your current session. Saves >> cursing and late night drives to remote servers in case sshd barfs >> somehow :-) >> >> --Chris >> >> > > Nice tip - AllowUsers added to the Wiki page on securing SSH: > > http://wiki.centos.org/HowTos/Network/SecuringSSH > > Thanks! > > Ned > > I don't have many clients that actually need or use ssh. I control it via hosts.allow and hosts.deny For instance. cat hosts.deny # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! sshd : ALL cat hosts.allow # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd : 192.555.555. : allow sshd : 192.555.55.555 : allow sshd : localhost : allow Of course the IP addresses have been changed to protect the...... In hosts.allow, the first line is an example of opening sshd to any IP address in that class C The second line, an example to specific IP addresses and the third to localhost (and I don't remember why I needed to add that but it was an internal program) John Hinton