securing_remote_ssh_access
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
securing_remote_ssh_access [2013/01/05 00:25] – [Disable Root Logins] lonney | securing_remote_ssh_access [2013/01/05 06:10] – [Port 22] 206.174.106.118 | ||
---|---|---|---|
Line 7: | Line 7: | ||
===== Strong Passwords ===== | ===== Strong Passwords ===== | ||
- | Using strong passwords is a good idea, if you have trouble remembering strong passwords make a note of them in a notebook or other non-electronic form. | + | Using strong passwords is a good idea, if you have trouble remembering strong passwords make a note of them in a notebook or other non-electronic form, or in such a way as not to identify what it's for. |
[[http:// | [[http:// | ||
Line 15: | Line 15: | ||
By default with SSH you can login directly using the root username and password. Since it is a given that every Linux and Unix system has a user called root, this is the obvious choice for an attacker to use and it gives them super user access with no further effort. | By default with SSH you can login directly using the root username and password. Since it is a given that every Linux and Unix system has a user called root, this is the obvious choice for an attacker to use and it gives them super user access with no further effort. | ||
- | We can disable logging in directly as root via SSH, after this change you'll need to login as a standard user and if root privileges are needed issue '' | + | We can disable logging in directly as root via SSH, after this change you'll need to login as a standard user and if root privileges are needed issue '' |
- As root edit ''/ | - As root edit ''/ | ||
- Now you can either set a password on the IRLP '' | - Now you can either set a password on the IRLP '' | ||
+ | - If you are doing this change remotely, open another SSH session and test logging in as repeater or with your own user account, and switching to the root account before you close your current session. Otherwise you could potentially lock your self out of the system until you can gain access to the console to straighten things out. | ||
- | It is also a good practice to avoid using the root account unless you really need to, one typo can hose an entire system before you know it's happened. | + | It is also a good practice to avoid using the root account unless you really need to be the super user to do something, one typo can hose an entire system before you know it' |
===== Port 22 ===== | ===== Port 22 ===== | ||
- | The default SSH port 22 is where anything and everything will try when looking for Linux and Unix hosts to compromise. In this example we'll use port 22500. Any high port number of your choice is generally OK. | + | The default SSH port 22 is where anything and everything will try when looking for Linux and Unix hosts to compromise. |
+ | |||
+ | If you currently have port 22 open to the world, as root '' | ||
+ | |||
+ | Using a non-standard port will avoid most of the attention. In this example we'll use port 22500. Any high port number of your choice is generally OK. | ||
There are two ways of doing this: | There are two ways of doing this: | ||
Line 30: | Line 35: | ||
- In some routers, the port forwarding configuration allows you to redirect target port. For example port 22500 externally can be mapped to port 22 internally to your IRLP system. | - In some routers, the port forwarding configuration allows you to redirect target port. For example port 22500 externally can be mapped to port 22 internally to your IRLP system. | ||
- If your router does not support redirecting the target port, the configuration of sshd can be changed to listen on a non-standard port. As root edit ''/ | - If your router does not support redirecting the target port, the configuration of sshd can be changed to listen on a non-standard port. As root edit ''/ | ||
- | '' | + | '' |
securing_remote_ssh_access.txt · Last modified: 2013/01/28 17:55 by 142.103.194.1