Not sure what NoMachine is, but I'd suspect far easier to change your sshd config file to change SSH server behavior.
Some recommendations for the config file: AllowUsers user1 user2 user3 (assuming your list of authorized users is short, there's also a group option, but I've had a very small SSH user base) PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthenticaiton no (if you can use key authentication for all users, ~/.ssh/authorized_keys) Of course what you can and can't do to secure SSH it is dependent upon your environment / work policies / users. Paul On Thu, Oct 1, 2015 at 2:14 PM, Alex Smith (K4RNT) <[email protected]> wrote: > Use something like NoMachine so you can disable password authentication? > > > > " 'With the first link, the chain is forged. The first speech censured, > the first thought forbidden, the first freedom denied, chains us all > irrevocably.' Those words were uttered by Judge Aaron Satie as wisdom and > warning... The first time any man's freedom is trodden on, we’re all > damaged." - Jean-Luc Picard, quoting Judge Aaron Satie, Star Trek: TNG > episode "The Drumhead" > - Alex Smith > - Kent, Washington (metropolitan Seattle area) > > On Thu, Oct 1, 2015 at 11:15 AM, Paul Boniol <[email protected]> > wrote: > >> As everyone I'm sure is aware, #1 (if not 1, close to it) thing is to >> secure any SSH server as best you can before it goes on the Internet, >> because most distributions default config leaves them in the equivalent of >> something like a locked storm door approach. (Wiggle the knob enough and >> it might just pop open.) >> >> 1. If possible disallow password authentication, use a secure shared >> key. Preferably transferring just the public key from the SSH box to your >> desktop(s), preferably by thumbdrive or similar. >> >> 2. I always disallow direct SSH root login. (I'm pretty sure this also >> means "they" have to guess a username, provided something doesn't do an >> end-run, e.g. buffer overflow, to allow access.) >> >> 3. A bit of belt-and-suspenders approach, but if you already have a VPN >> to allow access to your network, you can run SSH over the VPN. This can >> drastically cut the number of IP addresses you must allow to connect to >> SSH. Connections from a different IP range can simply be dropped. >> >> 4. Apply security updates regularly. >> >> From a quick glance #1 would eliminate this particular botnet attack from >> adding your machine to their network(s). >> >> I go further, but I known I'm paranoid. :) I have enough to do without a >> security admin breathing down my neck and/or having to rebuild boxes cause >> I didn't do what I should. I do all that is possible to stop a breach >> before it happens, even if that means a bit of inconvenience on my part. >> (Others on the listserv I'm sure are infinitely more qualified than I am >> in this arena. Just some quick thoughts to prevent it before it happens.) >> >> Paul >> >> On Thu, Oct 1, 2015 at 8:16 AM, Prasoon Sharma < >> [email protected]> wrote: >> >>> Try looking into /etc/pki/tls/openssl.cnf file. Might be you made some >>> changes or you mistyped something into it. I faced similar issues today >>> and found I mistakenly typed something into that file. I removed it and >>> restarted sshd, my ftps and ssh again starting working fine. >>> >>> >>> On Monday, January 30, 2012 at 10:50:08 AM UTC+5:30, Kevin Wurm#1 wrote: >>>> >>>> Hello everyone, >>>> >>>> I'm having a problem with one of my fc15 machines. First it started >>>> with a file system error which I fixed with fsck . Once it came back up, >>>> the ssh server wouldn't at boot. Then I realized the client wasn't working >>>> either. I get the following errors: >>>> >>>> >>>> ------------------------------------------------------------------------------------------------------------------------------------------ >>>> # service sshd start >>>> Starting sshd (via systemctl): Job failed. See system logs and >>>> 'systemctl status' for details. >>>> [FAILED] >>>> >>>> # systemctl status sshd.service >>>> sshd.service - LSB: Start up the OpenSSH server daemon >>>> Loaded: loaded (/etc/rc.d/init.d/sshd) >>>> Active: failed since Sun, 29 Jan 2012 21:53:56 -0600; 4min 23s ago >>>> Process: 3985 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, >>>> status=1/FAILURE) >>>> CGroup: name=systemd:/system/sshd.service >>>> >>>> $ ssh kedo9 >>>> Auto configuration failed >>>> 3078813332:error:0E079065:configuration file >>>> routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:362:line 1 >>>> >>>> # cat /var/log/messages-20120129 | grep ssh >>>> Jan 28 09:56:15 kedo15 systemd[1]: Unit sshd.service entered failed >>>> state. >>>> Jan 28 09:56:19 kedo15 systemd[1]: sshd.service: control process >>>> exited, code=exited status=1 >>>> (There are multiple entries like this) >>>> >>>> >>>> ------------------------------------------------------------------------------------------------------------------------------------------ >>>> >>>> I've done the usual googling, and haven't found much. I have also un- >>>> and re-installed. The sshd_config is now the default and still I have the >>>> same issues. I'm not sure what file it means is missing a "missing equal >>>> sign". >>>> >>>> I will be grateful for any ideas you might have. I really don't want to >>>> format this box. >>>> >>>> >>>> >>>> Thanks in advance, >>>> >>>> >>>> Kevin >>>> >>>> -- >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> To post to this group, send email to [email protected] >>> To unsubscribe from this group, send email to >>> [email protected] >>> For more options, visit this group at >>> http://groups.google.com/group/nlug-talk?hl=en >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "NLUG" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> -- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nlug-talk?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "NLUG" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
