| apps | workflow notes | dbconsole | dbnotes | Linux | ULN | vi cookbook |
| UNLnotes | Up2Date | InstallationGuide | Deployment Guide |
|---|
This is from how to secure a linux server or LinuxSecurityResource 1. Use lsof or a similar tool to determine what ports are listening on the computer. lsof i
Don't allow root logins on your primary sshd port 22 (set PermitRootLogin to "no"); many automated tools run brute-force attacks on that. Set up a secondary port for root access that only works by shared keys, disallowing passwords:
|
| 4. Don't allow root logins on your primary sshd port 22 (set PermitRootLogin to "no"); many automated tools run brute-force attacks on that. Set up a secondary port for root access that only works by shared keys, disallowing passwords: * Copy the sshd_config file to root_sshd_config, and change the following items in the new file: o Port from 22 to some other number, say 8899 (don't use this! make up your own!) o PermitRootLogin from "no" (you were supposed to set it to "no" for port 22, remember?) to "yes" o AllowUsers root add this line, or if it exists, change it to allow only root logins on this port o ChallengeResponseAuthentication no uncomment this line if it's commented out, and make sure it says "no" instead of "yes" * Test this command: sshd -D -f /etc/ssh/root_sshd_config and see if it works correctly -- try logging in from another computer (you must have already set up shared-key authentication between the two computers) using: ssh -p8899 root@my.remote.server and if so, control-C at the above (sshd) command to stop the sshd daemon, then add this to the end of /etc/inittab: rssh:2345:respawn:sshd -D -f /etc/ssh/root_sshd_config * Restart the init task: # init q This will run your "root ssh daemon" as a background task, automatically restarting it in case of failure. |