Forums
New posts
Articles
Product Reviews
Policies
FAQ
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Menu
Log in
Register
Install the app
Install
Forums
Digital Lifestyle
Internet, Networking, and Wireless
VNC into 2 computers
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="IvanLasston" data-source="post: 1178338" data-attributes="member: 145676"><p><strong>Securing SSH</strong></p><p></p><p>Since you asked - I've been planning to write something on ssh and what to do to secure it a little better. I have a ssh server running and found that scripts/bots/hackers try to log in with a username password constantly. So here are some ideas on what to do.</p><p></p><p>Here is a pretty good writeup on how to setup ssh on the mac - I don't use allow users - but I do use rsa_keys. I highly recommend using rsa_keys and turning off password login.</p><p><a href="http://www.stocksy.co.uk/articles/Mac/ssh_on_mac_os_x/" target="_blank">stocksy.co.uk - Mac - SSH on Mac OS X</a></p><p></p><p>Also, if you can, change the port. This isn't security through obscurity - this is to stop scripts. Basically most scripts look at port 22 and see if there is a response. If there is a response then the script will try to start logging in. This does help cut down on attempts - but shouldn't be your only defense. Secondly - many firewalls allow port 22 out - but not other random ports so if you are trying to login from behind a firewall make sure that whatever port you set is allowed out. </p><p></p><p>[code]</p><p>pico /etc/sshd_config</p><p>[/code]</p><p>Uncomment #Port 22 by removing the #</p><p>You can set the port to whatever number you wish.</p><p></p><p>Grab Macports and install it.</p><p><a href="http://www.macports.org/" target="_blank">The MacPorts Project -- Home</a></p><p>Then you can install denyhosts</p><p>[code]</p><p>port search denyhosts</p><p>port install denyhosts</p><p>[/code]</p><p>This program will monitor ssh attempts. If too many attempts are made without logging in from the same ip address - then it will add that ip address to the /etc/hosts.deny file.</p><p></p><p>I personally use a linux server and have iptables setup to drop ssh attempts after 3 attempts. I use this in conjunction with denyhosts.</p><p>[code]</p><p>sudo iptables -N SSH_CHECK</p><p>sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK</p><p>sudo iptables -A SSH_CHECK -m recent --set --name SSH</p><p>sudo iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 4 --name SSH -j DROP</p><p>[/code]</p><p></p><p>I don't know how to do this in ipfw or the Mac. Maybe someone else can chime in. Here is more info on ipfw on OSX.</p><p><a href="http://www.ibiblio.org/macsupport/ipfw/" target="_blank">http://www.ibiblio.org/macsupport/ipfw/</a></p></blockquote><p></p>
[QUOTE="IvanLasston, post: 1178338, member: 145676"] [b]Securing SSH[/b] Since you asked - I've been planning to write something on ssh and what to do to secure it a little better. I have a ssh server running and found that scripts/bots/hackers try to log in with a username password constantly. So here are some ideas on what to do. Here is a pretty good writeup on how to setup ssh on the mac - I don't use allow users - but I do use rsa_keys. I highly recommend using rsa_keys and turning off password login. [url=http://www.stocksy.co.uk/articles/Mac/ssh_on_mac_os_x/]stocksy.co.uk - Mac - SSH on Mac OS X[/url] Also, if you can, change the port. This isn't security through obscurity - this is to stop scripts. Basically most scripts look at port 22 and see if there is a response. If there is a response then the script will try to start logging in. This does help cut down on attempts - but shouldn't be your only defense. Secondly - many firewalls allow port 22 out - but not other random ports so if you are trying to login from behind a firewall make sure that whatever port you set is allowed out. [code] pico /etc/sshd_config [/code] Uncomment #Port 22 by removing the # You can set the port to whatever number you wish. Grab Macports and install it. [url=http://www.macports.org/]The MacPorts Project -- Home[/url] Then you can install denyhosts [code] port search denyhosts port install denyhosts [/code] This program will monitor ssh attempts. If too many attempts are made without logging in from the same ip address - then it will add that ip address to the /etc/hosts.deny file. I personally use a linux server and have iptables setup to drop ssh attempts after 3 attempts. I use this in conjunction with denyhosts. [code] sudo iptables -N SSH_CHECK sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK sudo iptables -A SSH_CHECK -m recent --set --name SSH sudo iptables -A SSH_CHECK -m recent --update --seconds 120 --hitcount 4 --name SSH -j DROP [/code] I don't know how to do this in ipfw or the Mac. Maybe someone else can chime in. Here is more info on ipfw on OSX. [url]http://www.ibiblio.org/macsupport/ipfw/[/url] [/QUOTE]
Verification
Post reply
Forums
Digital Lifestyle
Internet, Networking, and Wireless
VNC into 2 computers
Top