[CentOS] Securing SSH
Tony Placilla
aplacil1 at jhuadig.admin.jhu.edu
Tue Mar 25 18:42:29 UTC 2008
Tony Placilla <bofh at jhu.edu>
Sr. UNIX Systems Administrator
The Sheridan Libraries
Johns Hopkins University
>>> On Tue, Mar 25, 2008 at 12:48 PM, in message <47E92CD1.3060804 at msiscales.com>,
Tim Alberts <talberts at msiscales.com> wrote:
> So I setup ssh on a server so I could do some work from home and I think
> the second I opened it every sorry monkey from around the world has been
> trying every account name imaginable to get into the system.
>
> What's a good way to deal with this?
>
I am subject to this on an all too frequent basis. Here's what we've put in place that seems to work.
DenyHosts. It's available through the rpmforge (or Dag's) repo.
Just be sure you edit the config to allow SNYC_DOWNLOAD & create an appropriate allowed.hosts file based upon your needs.
sshd in protocol 2
privilege separation
no root logins
and a nifty little PAM trick is to create a group called ssh_users & and those that should be able to access the server are put into that as their supplementary group. Edit sshd_config & add
AllowGroups ssh_users
it's part & parcel of the whole "layered security" idea
it's cut the noise in my logs down by 99.9%
plus I sleep better :)
More information about the CentOS
mailing list