Wednesday, July 14, 2010

OpenSSH Security

OpenSSH is the way the administrators to manage servers. Sometimes some people are trying to conduct an experiment to infiltrate into the deep. And do a lot of vandalism which is very dangerous. Here are a few tricks to secure OpenSSH from people who are not responsible:

1. Make sure to use the Password somewhat complicated but easy to remember, a combination of numbers, letters and paste some of the symbols on the password.

2. Do not let the root user can perform the login.
because I use ubuntu, search PermitRootLogin yes in /etc/ssh/sshd_config and change into PermitRootLogin no
save and then restart ssh with the command: sudo /etc/init.d/ssh restart

3. Restrict ssh accessed, open access to only certain IP addresses or network.
Restrictions can be accessed using tcpwrapper (hosts.allow, hosts.deny) or use iptables.
case study: Network 192.168.44.0/24 IP 192.168.45.11 and all I can do SSH.
what to do:
edit the file: / etc / hosts.deny add sshd: all
edit the file: / etc / hosts.allow add
sshd: 127.0.0.0/255.255.255.0
sshd: 192.168.45.11
sshd: 192.168.44.0/255.255.255.0

or if we are using UFW can type:
sudo ufw allow proto tcp from 127.0.0.0/24 to any port 22
sudo ufw allow proto tcp from 192.168.45.11 to any port 22
sudo ufw allow proto tcp from 192.168.44.0/24 to any port 22

4. Use DenyHosts
Sometimes people try to enter the server with user and password guessing.
If lucky to get broken, and it's also because the manager server is too easy to write down passwords.

To prevent can use denyhosts
install with the following command:
sudo apt-get install denyhosts
safer if the password is sent back via email with how to edit files
/etc/denyhosts.conf search words ADMIN_EMAIL add a
ADMIN_EMAIL = airaku22@yahoo.com

5. Change the default SSH port
edit the file /etc/ssh/sshd_config Port 22 instead of search papers say the Port in 2000. save and restart the SSH
to use the command ssh: ssh 192.168.45.11-l-p 2000 airaku

6. Regularly updated System
sudo apt-get update & & sudo apt-get upgrade

Good luck, and try OpenSSH for your server.

No comments:

Post a Comment