[Klug-general] Hiding Port 22 on an SSH based VPN
karl at qdh.org.uk
Mon Apr 2 20:49:39 BST 2007
> You would do well to generate keys and only allow logins by this
> method, as well as any firewalling. And certainly disallow root
> logins by any method.
> I speak from experience of a server hacked.
AFAIK the only attacks against openssh are weak password and monkey
in the middle with protocol 1.1, maybe a couple of buffer overflows
along the way, but as long as your password isn't easy to break.
Letters numbers capitals etc... and you have upto date packages for
ssh why not allow root logins! Sure when telnet was king it was
prudent to use operator/wheel to login then su to root running the
telnet process as operator/wheel, however this still has the same
issues as allowing logins as root, as once you have shell access to a
system its trivial to escalate privs.
I speak from experience too, poacher turned game keeper ;)
PS. Easiest way to secure a server running Linux? Use a linux distro
which comes pre-configured to be reasonably secure and not leave
completely idiotic default settings which ship with most services,
eg. sendmail which has pretty much always shipped with default
configs which are laughable to most spammers.
I'm suggesting use redhat, as 90% of configuration is already done as
long as you don't do stupid things you're pretty secure out of the box.
More information about the Kent