Re: locking down ssh

On Tue, 31 Jan 2006 13:03:12 -0600, brenda wrote:
> Hi,
>
> I am trying to lock down my pc connection to the internet
> 1) I have a nating router, with only port 22 open
> 2) The ssh server in on a fedora core 4 stock
> 3) I run yum nightly for updates

Do you read the logs? Or even any system/security logs? You'd
be surprised how many who don't do that.

> 4) the windows pc's are all running norton antivirus
> 5) in the sshd_config file I did the following:
>
> AllowUsers brenda@remoteip
> AllowUsers brenda@192.168.3.*

If you only need to access your server from a specific remote ip
address, you could (should!) block all others in your fw/router.
Also, consider the threat if someone took control of your server.
If protecting the rest of your internal computers is a priority,
the server offering services to the world should be in a separated
environment (DMZ).

> #AllowTcpForwarding yes

Do you need this?

> # no default banner path
> #Banner /some/path

Consider adding a banner with a suitable threathening message.

> Is there anything else I can do to lock the system down?

No matter how hard we try, there is always possible to do better.
Some wise man once said something I remember as "Once you've got
foolproof security, a more creative fool comes along". The message
basically is the same as always: Security is a process. If you do
it right, you're never done.

-- 
New and exciting signature!