[olug] Help w/ my server
David Cannon
medaveduh at gmail.com
Mon Jul 23 22:03:55 UTC 2012
Not sure if this helps at all but I set up private key encryption on mine
and just turned off password auth entirely.
I put the key on a 1GB flash drive with putty and winscp.
On Jul 23, 2012 4:59 PM, "Lou Duchez" <lou at paprikash.com> wrote:
> On 7/23/2012 5:56 PM, Christopher Cashell wrote:
>
>> On Mon, Jul 23, 2012 at 4:51 PM, Lou Duchez <lou at paprikash.com> wrote:
>>
>>> I would also change the default ssh port. Yes it is security by
>>>> obscurity, but it does block virtually all the bots from guessing your
>>>> password(if you have it enabled). I have disabled root ssh logins; if
>>>> root tries to log in, they will get an "auth failed" msg even if they
>>>> have put in the correct pw. You might also consider disabling remote
>>>> ssh password logins.
>>>>
>>> I run Fail2Ban on my various servers, and I think all but one of them are
>>> running SSH on non-default ports. Coincidentally enough, the only server
>>> where I ever -- EVER -- get SSH hacker alerts is the one where SSH is
>>> running on the default port.
>>>
>> fail2ban is a great program for a lot of things, but there are better
>> ways to secure SSH on Linux.
>>
>> In your IPTables config, use the following line as your "allow ssh" line:
>>
>> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit
>> --limit 1/min --limit-burst 4 -j ACCEPT
>>
>> Now you have built-in protection against brute-force attacks at the
>> kernel-level, without relying on an external program, or recognizing
>> the failed logins later via log watching.
>>
>>
> That is swank, thank you!
>
> ______________________________**_________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/**mailman/listinfo/olug<https://lists.olug.org/mailman/listinfo/olug>
>
More information about the OLUG
mailing list