kYd Posted July 29, 2010 Share Posted July 29, 2010 (edited) . Edited September 5, 2021 by kYd Remove Quote Link to comment Share on other sites More sharing options...
hacker07 Posted July 29, 2010 Share Posted July 29, 2010 Hey, In a few days I will be exposing my media server to the scary Internet, as I'll need access to it from a far; it has quite a bit of personal stuff on there, so I'm looking to harden it down, and I'm primarily focusing on just SSH today. I've read many guides the last few hours, and while some of the information is great, some sources are conflicting with others, with many of them dating years back. So, concerning SSH, what tips would you advise? I've already done the obvious: chaning ports, using the AllowUsers directive, disabled root, limited wrong authentication tries and login grace time, and I'm currently trying to get to a passwordless state with keys (followed numerous guides but still asks for p/w). I'm also in the process of trying to set up IPtables to accomplish the following: *Block the IP of anyone that tries to connect to the server on port 22, forever. *Block any IP that fails authentication more than 2 times, for an hour. Could you help me with this one also? I am unable to allow just the foreign IPs I will be logging into as I shall be from many locations, with dynamic IPs. Cheers. I think one of the most secure methods of ssh connections is using ssh-keys for authentication. Quote Link to comment Share on other sites More sharing options...
cabster21 Posted July 29, 2010 Share Posted July 29, 2010 I would say you've done far more than what a scrpit kiddie could do, or be bothered to continue. Unless what you have is worth something you should be fine, unless someone is trying to hack you for making a point. Quote Link to comment Share on other sites More sharing options...
Charles Posted July 29, 2010 Share Posted July 29, 2010 What are you having problems with when trying to set the keys? You need to change two settings, which are: PubkeyAuthentication and PasswordAuthentication. Change Pubkey to yes and password to no and add your public key to ~./.ssh/authorized_keys You can recreate keys by using ssh-keygen. Here's my sshd_config file for reference - it needs some clean up, but it works for me. # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 30 PermitRootLogin no StrictModes yes RSAAuthentication no PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 3:50:10 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes AllowUsers charles GatewayPorts no AllowTcpForwarding yes KeepAlive yes IgnoreUserKnownHosts no PasswordAuthentication no Quote Link to comment Share on other sites More sharing options...
Charles Posted July 31, 2010 Share Posted July 31, 2010 (edited) Try using id_rsa.pub instead. That's the one I've been using. Haven't touched id_dsa.pub. Permissions should look like this: -rw-r--r-- 1 charles charles 394 2010-07-03 20:58 authorized_keys -rw------- 1 charles charles 1743 2010-07-15 09:11 id_rsa -rw-r--r-- 1 charles charles 442 2010-07-30 17:15 known_hosts The id_rsa.pub should be added to authorized_keys (the rename you did should be fine) I tried the same thing with the id_dsa.pub key and id_dsa private key without success. It only allowed me to use my password to authenticate. The debug looked the same as yours. When I switched to using rsa keys, it authenticated without any problems. Edited July 31, 2010 by Charles Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.