[WBEL-users] SSH Hack/Login attempts
jamaguy
jamaguy@nervesync.com
Sun, 08 Aug 2004 18:19:26 +0700
Another useful sshd_config directive that isn't in the sshd_config by
default any longer in most releases is AllowUsers. If you can get away
with allowing only a limited x number of users from certain hosts and
denying the rest it can be very handy. Otherwise there is also a
directive for DenyUsers.
example:
AllowUsers nonprivuser@192.168.0.1 nonprivuser2@192.168.0.2
nonprivuser3
Each user or user@host is delimited by a space and are on one line (word
wrapping is not your friend if the list is longer than 3 or 4 users
allowed from specific hosts...)
The directive doesn't seem to support ranges of IPs, so it is allow
from one host or allow from all hosts, unless one forgoes using the
@host portion altogether (nonprivuser3 above) and lets in host ranges
using iptables instead.
Is also good to disable SSH v1 (Protocol 2) turn off
PasswordAuthentication (PasswordAuthentication no), turn on
PubkeyAuthentication (PubkeyAuthentication yes) (AuthorizedKeysFile
.ssh/authorized_keys) and generate keys pairs using ssh-keygen for users
(then prepare to spend the next week fielding questions from them on how
to use keys - If you use it note that ssh.com's win32 ssh client
requires the full commercial version to support Keys, PuTTY - tweak the
session defaults before using it, I've heard that there are default
connection settings that are not secure unless changed prior to
connection... anyone? - and cygwin openssh clients are also workable
alternatives for client ssh client access using PublicKeyAuth ).
More info:
man sshd_config
Ben
Jeff Maze wrote:
>Hello,
> I was wondering if there's a way to block some user names/accounts
>from attempting to be logged into via SSH. Lately, over the last week or
>so, I've seen a lot of login attempts via test, admin, and guest accounts.
>I have the PermitRootLogin=No in the sshd_conf file but was wondering if I
>add the above mentioned accounts, they won't even get a password prompt.
> Thanks..
>
>Oh yea, there aren't admin, test, nor guest accounts created on the machine
>but they keep trying to use them to login.
>
>
>
>_______________________________________________
>Whitebox-users mailing list
>Whitebox-users@beau.org
>http://beau.org/mailman/listinfo/whitebox-users
>
>