|
||||
You may also run SSH on a custom port (for example Port 50522).
__________________
religions, worst damnation of mankind "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”. vermaden's: links resources deviantart spreadbsd |
|
|||
Yes, I agree with vermaden. It really helps if you change the default ssh port number. Since almost anyone trying to brute force the machine, will be trying the default port, but if that person doesn't know your ssh port number, then there's not much left to do.
|
|
||||
You can also use nmap to scan all 1-65536 ports of any server, which will tell you what you run on what port.
__________________
religions, worst damnation of mankind "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”. vermaden's: links resources deviantart spreadbsd |
|
|||
Quote:
Now, if someone was targeting you alone... then sure, they could find it, but at the same time it would lower the amount of automated brute forces. (i.e: polluted logs.). |
|
||||
Yeah, port other then 22 makes a lot less useless junk in ssh logs
__________________
religions, worst damnation of mankind "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”. vermaden's: links resources deviantart spreadbsd |
|
|||
Correct me if I'm wrong. But you can use the firewall to block scans and pings to your computer.
|
|
||||
Yes, it is possible to block only nmap packets with specific SYN or ACK flags, if you google for that you will find whole howtos how to do that.
__________________
religions, worst damnation of mankind "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”. vermaden's: links resources deviantart spreadbsd |
|
||||
Additionally to the anomie post it is *invaluable* to install denyhosts scripts, especial if it necessary for you to open the ssh service to the public internet.
It is available from the ports: /usr/ports/security/denyhosts It blocks ssh user dictionary probes or other evil actions using tcpwrappers I personally have configured the denyhosts to use my pf firewall as well ,that populates a related table with the attacker's IPs. I am very satisfied with denyhosts, it blocks daily dozen of attackers. |
|
|||
I'm having trouble disabling password login on a new box. I'd like to make it public key-only, but having little luck. I've posted my ssh_config at http://pastebin.com/ma14d820. Any ideas? Thanks.
|
|
|||
And I'm an idiot. /etc/sshd_config, not /etc/ssh_config. Sorry to bother.
|
Tags |
harden, secure, sshd, sshd_config |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Basic networking fail. | diw | OpenBSD General | 13 | 31st March 2009 09:29 AM |
Basic Perl arrays question | stukov | Programming | 12 | 18th November 2008 08:44 PM |
Hardening FreeBSD | cajunman4life | FreeBSD Security | 53 | 7th October 2008 12:06 PM |
need some basic help on ifconfig | daemon-dd | FreeBSD General | 4 | 29th July 2008 03:21 PM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |