[CentOS] Securing SSH
Ray Van Dolson
rayvd at bludgeon.org
Tue Mar 25 17:24:14 UTC 2008
>> 1. Change the default port
> I could do that, but if they already know about it, a simple port scan and
> they'll probably find it again. Plus I gotta go tell all my client
> programs the new port and I don't know how to do that on most of them (what
> a hassle).
If you're talking about people who are just scanning your machine and
then doing brute force on the port, changing the port likely will solve
that since these are just automated robots. A human might actually do
a portscan, but just a port change will probably stop your security
logs from going crazy.
Of course the hassle part may be a show-stopper here. :)
>> 2. use only SSH protocol 2
> got it.
>> 3. Install some brute force protection which can automatically ban an IP
>> on say 5 / 10 failed login attempts
> The only software I know that could do this isn't supported anymore
> (trisentry) or is too confusing and I don't know it yet (snort).
> Suggestions?
denyhosts is pretty widely used. You could probably also make use of
iptables.
>> 4. ONLY allow SSH access from your IP, if it's static. Or signup for a
>> DynDNS account, and then only allow SSH access from your DynDNS domain
>>
> Yeah my home account is on dynamic IP. I'd love to setup the firewall to
> only allow my home computer. You're talking about these guys?
> http://www.dyndns.com/ never used them before, but it looks like a good
> idea. Especially since it's free (for 5 hosts) if I read correctly.
Ray
More information about the CentOS
mailing list