[WBEL-users] does anyone have any suggestions for setting up a
remote SSH server using WB 3.0?
Alex Tkachenko
alex@ingrian.com
Sat, 16 Oct 2004 13:47:54 -0700
On Thu, 2004-09-30 at 04:52, Van Loggins wrote:
> Benjamin J. Weiss wrote:
>
> >On Wed, 29 Sep 2004, Van Loggins wrote:
> >
> >
> >
> >>I need to make it as secure as possible.
> >>
> >>I currently have a old Celeron 700 MHz system running Fedora Core 1
> >>working as a remote SSH server, but since fedora has dropped official
> >>support for it, and I keep getting numerous attempts to log into the
> >>system using nonexistant accounts from different IP addresses
> >>(unsuccessful so far), I feel that I need something more secure.
> >>
> >>I'm replacing the large clunky Celeron 700 MHz system with a much more
> >>streamlined Mini-Itx system, this way I take up less cabinet space, and
> >>get the same performance. I have loaded the unit with WhiteBox Linux 3.0
> >>and it seems to work very well on it. The unit has a Epia Via C3 800 MHz
> >>processor, 128 megs of ram, and a 4.3 gig laptop hard drive. No CD-Rom
> >>or Floppy. I used a USB CD-RW drive to install WB 3.0 onto it.
> >>
> >>The system needs to be configured to allow 3 different people to connect
> >>into it from any IP address on the internet, absolutely no SSH root
> >>Access (authorized users will use su to switch to root if needed), and
> >>if possible I would like to configure the system so that it will drop an
> >>ip address using iptables if more than 4 or 5 attempts are made from it
> >>to log into the system using either a nonexistant account or as root.
> >>Also the old system is configured not to allow X to work through SSH, so
> >>I plan on setting the new system up the same way
> >>
> >>The new system also does not have X installed or configured
> >>
> >>any suggestions you can offer me on ways to accomplish my goal are most
> >>welcome.
> >>
> >>
> >
> >One thing that you should do is to change the Protocol 2,1 line to only
> >have protocol 2. Protocol 1 has some nasty holes in it. Don't forget to
> >restart the sshd service afterwards.
> >
> >
> >
> Thanks to all who had suggestions about this.
>
> I was able to set ssh up on this system and get it configured to do what
> I wanted pretty much.
>
> I locked down the firewall to only allow traffic in to the system on
> port 110 and 22
Could I now sniff out the username/password from pop session and then
use credentials to login through ssh? :) Just kidding...
Have a great weekend,
Alex
>
> the system is protected by a hardware firewall which only allows access
> to the system thru port 22. I opened the software firewall to allow 110
> so i could pop the system from our internal network So I can get the
> system logs sent to root each day.
>
> I still have some minor stuff to do, but I'm pretty close to being ready
> with this system.
>
> Whitebox Linux works very well on this system. :)
>
> thanks again
>
> Van