-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander Wasmuth wrote: > * Jim Hyslop wrote: > >> PermitRootLogin no >> RSAAuthentication no >> PubkeyAuthentication yes >> IgnoreRhosts yes >> RhostsRSAAuthentication no >> HostbasedAuthentication no >> PermitEmptyPasswords no >> ChallengeResponseAuthentication no >> PasswordAuthentication no >> UsePAM yes >> Subsystem sftp /usr/lib/openssh/sftp-server > > I've also added "Protocol 2" to omit ssh 1 and I set UsePam to no > because I wasn't able to prohibit password authentication with PAM > enabled. > > Restricting the allowed users is probably a good idea, too: > > AllowUsers you > > Also I am using iptables to limit the per-ip connection tries in a given > amount of time: <http://www.debian-administration.org/articles/187>. > > Cheers, > Alex > >
Hi, Using "Protocol 2" should be more secure. About changing the port 22 for another one, I would prefer to use port knocking(iptables rules or knockd package) or something like that : http://www.cipherdyne.com/fwknop/ Here is an example : >>>>>>>>>>>>>>>> etch:/home/franck# telnet 192.168.0.1 22 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-8 ^[ Protocol mismatch. Connection closed by foreign host. As you can see, I get the SSH banner when I listen on port 22, and so do I when I change it for port 1022. etch:/home/franck# telnet 192.168.0.1 1022 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. SSH-2.0-OpenSSH_4.3p2 Debian-8 ^[ Protocol mismatch. Connection closed by foreign host. <<<<<<<<<<<<<<<<<< Here is the explanation : http://www.openssh.com/faq.html#2.14 Hope it helps. - -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3/rBxJBTTnXAif4RAumqAJwLxFf/cqkFTPPUxIUDC1kX6gyPjgCaAzdC nhpOzgyL9kTYnWeCaolQTcQ= =iKQt -----END PGP SIGNATURE----- ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" � The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
