1 |
On Mar 8, 2006, at 8:31 AM, Timothy A. Holmes wrote: |
2 |
|
3 |
> Good Morning Folks: |
4 |
> |
5 |
> I have been doing some reading over the last day or two about a SSH |
6 |
> bot |
7 |
> attack that is occurring in some places. I will be the first to admit |
8 |
> that I have been a bit lax with my ssh security (allowing root logins |
9 |
> etc). This problem has inspired me to get things cleaned up, and |
10 |
> flying |
11 |
> right again. I have already modified my ssh config to prevent root |
12 |
> logins via ssh, so that hole is closed. In talking to a friend |
13 |
> yesterday, he suggested using key based authentication to further |
14 |
> protect my servers, which sounds like a great idea. The problem is |
15 |
> that |
16 |
> I have no idea how to set it up. A google search turned up the Gentoo |
17 |
> pages on keychain, which does not sound exactly like what he was |
18 |
> talking |
19 |
> about (he mentioned a key carried on a JUMP drive (usb stick)) |
20 |
> |
21 |
> I am using gentoo (and fedora (soon to be converted) servers) and |
22 |
> PUTTY. |
23 |
> If someone can offer suggestions, or point me in the right |
24 |
> direction, I |
25 |
> would be most appreciative. |
26 |
step one...on the box you'll be connecting FROM, run ssh-keygen -t |
27 |
rsa (or dsa). It will ask you the name of the file to save it to, |
28 |
take the default. Put a passphrase on it. |
29 |
step two...that created id_dsa.pub (which is what you get if you pick |
30 |
dsa above) in your ~/.ssh directory. copy that id_dsa.pub up to a |
31 |
server you want to connect to |
32 |
step three...since you've turned off root logins, you have a user on |
33 |
that box. copy that id_dsa.pub file into the ~/.ssh/authorized_keys |
34 |
file on the target system. note that if you have to create that |
35 |
directory yourself, you'll probably have to remove group-write |
36 |
permissions before this will work. |
37 |
step four...verify that in the target server's sshd_config file, |
38 |
PubkeyAuthentication is set to yes |
39 |
|
40 |
that should allow you to ssh targetservername...you'll be asked for a |
41 |
password, but that's to access the key on your LOCAL box. add a -vv |
42 |
and you'll see all kinds of cool stuff. |
43 |
|
44 |
Note that I also move ssh from port 22 to some other port, and in my |
45 |
local box, in .ssh, create a file called config. In that I put: |
46 |
"Host * |
47 |
User john |
48 |
port xxx" |
49 |
|
50 |
this says for all hosts i ssh to, use port 26, and username john at |
51 |
the far end. you can replace the * with individual host names (as |
52 |
resolved via dns or hosts file) to have different usernames on |
53 |
different boxes and different ports per host. |
54 |
|
55 |
I've had NO ssh portscans on my boxes since I moved them off of port |
56 |
22. for security's sake, i won't tell you where I moved them to :) |
57 |
-- |
58 |
gentoo-user@g.o mailing list |