Securing ssh

I finally secured my ssh server after I got hacked twice. The first time was because I had a user named vmware with the password "vmware". The second time was because I had a user named test with the password "test". Yeah I know, not smart. Luckily both those users were not in the wheel group so they were fairly isolated. It looks like the just wanted my box to do port scans and cracking of other machines.

Here are a few things to add to your /etc/ssh/sshd_config file to make it more secure (in addition to the standard defaults):

#Change your port to something other than 22 (security by obscurity).
Port 22
#Limit which users can log on
AllowUsers david
#Not sure what this does but it is "turned on for security"
UsePrivilegeSeparation yes
#Enable key authentication
PubkeyAuthentication yes
#Fairly obvious
PermitEmptyPasswords no
#Disable passwords (force key authentication)
PasswordAuthentication no
ChallengeResponseAuthentication no

A couple other things I did was to install libpam_cracklib and set a better password for myself. Secondly I installed denyhosts which dynamically adds bad behaving clients to the /etc/hosts/deny list. Beware that it will add svn-over-ssh clients to this list (because svn often makes multiple ssh logins in succession) so you'll need to add the host that you're using svn from to the /etc/hosts.allow list.



Once you disallow password authentication and stick to public keys that's pretty much all you have to do. Then you can set your password to empty and it won't affect your security anyway. And no need to mess with accept/deny lists either.

Good point. Actually I did this in several incremental steps and the public key restriction was the last thing I did. I will probably get rid of denyhosts because it confuses svn clients with malicious attacks.

Why not using svn over webdav secured with https ?

Set up is more complicated, at least it was when I first set up my svn server (1.0). I set up an http+DAV one at work (without authentication though) and it was dead easy. I'll have to look into it again. Would I need to type my password everytime though? I like ssh with key authentication because I don't need to type my password every time, unless I use a key with a passphrase (and even then I can use a key agent).

Add new comment