Linux Today: Linux News On Internet Time.

Linux Remote Networking over the Internet (part 3)

Nov 10, 2009, 20:33 (0 Talkback[s])
(Other stories by Carla Schroder)

"Hardening the OpenSSH Server for Password Logins

"This is easy, just changing a few lines in /etc/ssh/sshd_config:

Port 2022
PermitRootLogin no
AllowUsers [usernames or groups separated by spaces]
ClientAliveInterval 3600

"Remember to restart sshd whenever you change the configuration file. Specifying an alternate port reduces brute-force login attempts by a lot. Yes, everyone knows that this option is available, and no, it wouldn't be very hard to script brute-force attacks to scan for the open SSH port. But they don't, and a side benefit is it cuts down the clutter considerably in your logfiles. You must select an unused port, which you can find in /etc/services. Be sure to enter your alternate SSHD port in this file so you don't forget.

"Never ever permit a root login over the Internet. If you need root privileges, log in as an ordinary user and then su or sudo after logging in. (In the next installment in this series I'll show you how to restrict sudo to specific commands.)"

Complete Story

Related Stories: