| 1 |
On Mar 8, 2006, at 8:31 AM, Timothy A. Holmes wrote: |
| 2 |
|
| 3 |
> Good Morning Folks: |
| 4 |
> |
| 5 |
> I have been doing some reading over the last day or two about a SSH |
| 6 |
> bot |
| 7 |
> attack that is occurring in some places. I will be the first to admit |
| 8 |
> that I have been a bit lax with my ssh security (allowing root logins |
| 9 |
> etc). This problem has inspired me to get things cleaned up, and |
| 10 |
> flying |
| 11 |
> right again. I have already modified my ssh config to prevent root |
| 12 |
> logins via ssh, so that hole is closed. In talking to a friend |
| 13 |
> yesterday, he suggested using key based authentication to further |
| 14 |
> protect my servers, which sounds like a great idea. The problem is |
| 15 |
> that |
| 16 |
> I have no idea how to set it up. A google search turned up the Gentoo |
| 17 |
> pages on keychain, which does not sound exactly like what he was |
| 18 |
> talking |
| 19 |
> about (he mentioned a key carried on a JUMP drive (usb stick)) |
| 20 |
> |
| 21 |
> I am using gentoo (and fedora (soon to be converted) servers) and |
| 22 |
> PUTTY. |
| 23 |
> If someone can offer suggestions, or point me in the right |
| 24 |
> direction, I |
| 25 |
> would be most appreciative. |
| 26 |
step one...on the box you'll be connecting FROM, run ssh-keygen -t |
| 27 |
rsa (or dsa). It will ask you the name of the file to save it to, |
| 28 |
take the default. Put a passphrase on it. |
| 29 |
step two...that created id_dsa.pub (which is what you get if you pick |
| 30 |
dsa above) in your ~/.ssh directory. copy that id_dsa.pub up to a |
| 31 |
server you want to connect to |
| 32 |
step three...since you've turned off root logins, you have a user on |
| 33 |
that box. copy that id_dsa.pub file into the ~/.ssh/authorized_keys |
| 34 |
file on the target system. note that if you have to create that |
| 35 |
directory yourself, you'll probably have to remove group-write |
| 36 |
permissions before this will work. |
| 37 |
step four...verify that in the target server's sshd_config file, |
| 38 |
PubkeyAuthentication is set to yes |
| 39 |
|
| 40 |
that should allow you to ssh targetservername...you'll be asked for a |
| 41 |
password, but that's to access the key on your LOCAL box. add a -vv |
| 42 |
and you'll see all kinds of cool stuff. |
| 43 |
|
| 44 |
Note that I also move ssh from port 22 to some other port, and in my |
| 45 |
local box, in .ssh, create a file called config. In that I put: |
| 46 |
"Host * |
| 47 |
User john |
| 48 |
port xxx" |
| 49 |
|
| 50 |
this says for all hosts i ssh to, use port 26, and username john at |
| 51 |
the far end. you can replace the * with individual host names (as |
| 52 |
resolved via dns or hosts file) to have different usernames on |
| 53 |
different boxes and different ports per host. |
| 54 |
|
| 55 |
I've had NO ssh portscans on my boxes since I moved them off of port |
| 56 |
22. for security's sake, i won't tell you where I moved them to :) |
| 57 |
-- |
| 58 |
gentoo-user@g.o mailing list |
Archives