http://hexwiki.com/w/index.php?title=OpenSSH_(6.0)&feed=atom&action=historyOpenSSH (6.0) - Revision history2024-03-29T11:53:50ZRevision history for this page on the wikiMediaWiki 1.35.7http://hexwiki.com/w/index.php?title=OpenSSH_(6.0)&diff=159&oldid=prevVekseid at 01:09, 10 May 20142014-05-10T01:09:05Z<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 01:09, 10 May 2014</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l62" >Line 62:</td>
<td colspan="2" class="diff-lineno">Line 62:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>While I have yet to make this mistake personally (and have IPMI to fall back on now), I have seen stories from people who have messed this up.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>While I have yet to make this mistake personally (and have IPMI to fall back on now), I have seen stories from people who have messed this up.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{Bottom Wheezy}}</ins></div></td></tr>
</table>Vekseidhttp://hexwiki.com/w/index.php?title=OpenSSH_(6.0)&diff=130&oldid=prevVekseid: /* /etc/ssh/sshd_config */2014-05-09T01:26:32Z<p><span dir="auto"><span class="autocomment">/etc/ssh/sshd_config</span></span></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 01:26, 9 May 2014</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l30" >Line 30:</td>
<td colspan="2" class="diff-lineno">Line 30:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== /etc/ssh/sshd_config ==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== /etc/ssh/sshd_config ==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div># Choose a non-standard port. I recommend <del class="diffchange diffchange-inline">picking a four or five-digit </del>number<del class="diffchange diffchange-inline">, and using that </del>for all of your servers. This is less for security, per se, but rather to help keep log clutter down. If you use the same number often enough, you will eventually memorize it.</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># Choose a non-standard port. I recommend <ins class="diffchange diffchange-inline">using the same </ins>number for all of your servers. This is less for security, per se, but rather to help keep log clutter down <ins class="diffchange diffchange-inline">as brute force attacks pollute your auth logs</ins>. If you use the same number often enough, you will eventually memorize it.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Listen to only a single IP address. If you have true IPv6 connectivity, consider only talking only through IPv6.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># Listen to only a single IP address. If you have true IPv6 connectivity, consider only talking only through IPv6.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># PermitRootLogin no</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div># PermitRootLogin no</div></td></tr>
</table>Vekseidhttp://hexwiki.com/w/index.php?title=OpenSSH_(6.0)&diff=129&oldid=prevVekseid: Created page with "My first step to setting up most Internet servers is to shut down every listening service except for sshd. The second step is to lock down sshd. == Preparation == # You wil..."2014-05-08T22:01:08Z<p>Created page with "My first step to setting up most Internet servers is to shut down every listening service except for sshd. The second step is to lock down sshd. == Preparation == # You wil..."</p>
<p><b>New page</b></p><div>My first step to setting up most Internet servers is to shut down every listening service except for sshd.<br />
<br />
The second step is to lock down sshd.<br />
<br />
== Preparation ==<br />
<br />
# You will want a public-private keypair. I currently use 4096-bit keys and require them for my users, but may move to 8192-bits. This may seem excessive, but the resources involved are trivial. Regardless, you should have this beforehand. See [[Generating an RSA Key Pair]] for instructions.<br />
# Shut every listening service down, save for ssh if you are talking over it.<br />
# Make sure your chosen administrative/wheel user is has your public key in their ~/.ssh/authorized_keys<br />
# Make sure the address you are binding ssh to is bound in /etc/network/interfaces<br />
# If you don't have some sort of remote kvm access to your server, chances are you will want to make a watchdog script relatively soon.<br />
<br />
#!/bin/sh<br />
run=`ps x | grep "/usr/sbin/sshd" | grep -v grep | cut -c1-5 | paste -s -` <br />
if [ "$run" ];<br />
then<br />
continue<br />
else<br />
/etc/init.d/ssh start<br />
fi<br />
<br />
And add:<br />
<br />
2,22,42 * * * * root /root/watchdog.ssh.sh<br />
<br />
to a file in /etc/cron.d/ (I use /etc/cron.d/watchdog for my watchdog crons).<br />
<br />
If you are one of those people who insists on using ifconfig, and your server has a lot of ips assigned, this step may be mandatory if interfaces take their sweet time getting up.<br />
<br />
== /etc/ssh/sshd_config ==<br />
<br />
# Choose a non-standard port. I recommend picking a four or five-digit number, and using that for all of your servers. This is less for security, per se, but rather to help keep log clutter down. If you use the same number often enough, you will eventually memorize it.<br />
# Listen to only a single IP address. If you have true IPv6 connectivity, consider only talking only through IPv6.<br />
# PermitRootLogin no<br />
# PubkeyAuthentication yes<br />
# PasswordAuthentication no<br />
## Leaving this on until you copy your key over is generally fine. Unless you are horrible at picking passwords.<br />
# X11Forwarding no<br />
## None of my servers run X. If yours does (and you want it to), go ahead.<br />
# UsePAM no<br />
## Just vanilla ssh, please.<br />
# If you are going to have other people signing in, you may want to give them chrooted sftp access only. You can do this by placing blocks at the end of this file, a la<br />
Match User accountname<br />
ChrootDirectory /home/accountname<br />
AllowTCPForwarding no<br />
X11Forwarding no<br />
ForceCommand internal-sftp<br />
<br />
To keep them from snooping, or somehow making a mess.<br />
<br />
== Testing ==<br />
<br />
After<br />
<br />
/etc/init.d/ssh start<br />
<br />
if using IPMI, or<br />
<br />
/etc/init.d/ssh restart<br />
<br />
if not, be sure to try to sign in (again) over ssh and make sure you can successfully connect.<br />
<br />
While I have yet to make this mistake personally (and have IPMI to fall back on now), I have seen stories from people who have messed this up.</div>Vekseid