[WBEL-users] does anyone have any suggestions for setting up a remote SSH server using WB 3.0?

Alex Tkachenko alex@ingrian.com
Sat, 16 Oct 2004 13:47:54 -0700 

On Thu, 2004-09-30 at 04:52, Van Loggins wrote:
> Benjamin J. Weiss wrote:
> 
> >On Wed, 29 Sep 2004, Van Loggins wrote:
> >
> >  
> >
> >>I need to make it as secure as possible.
> >>
> >>I currently have a old Celeron 700 MHz system running Fedora Core 1 
> >>working as a remote SSH server, but since fedora has dropped official 
> >>support for it, and I keep getting numerous attempts to log into the 
> >>system using nonexistant accounts from different IP addresses 
> >>(unsuccessful so far), I feel that I need something more secure.
> >>
> >>I'm replacing the large clunky Celeron 700 MHz system with a much more 
> >>streamlined Mini-Itx system, this way I take up less cabinet space, and 
> >>get the same performance. I have loaded the unit with WhiteBox Linux 3.0 
> >>and it seems to work very well on it. The unit has a Epia Via C3 800 MHz 
> >>processor, 128 megs of ram, and a 4.3 gig laptop hard drive. No CD-Rom 
> >>or Floppy. I used a USB CD-RW drive to install WB 3.0 onto it.
> >>
> >>The system needs to be configured to allow 3 different people to connect 
> >>into it from any IP address on the internet, absolutely no SSH root 
> >>Access (authorized users will use su to switch to root if needed), and 
> >>if possible I would like to configure the system so that it will drop an 
> >>ip address using iptables if more than 4 or 5 attempts are made from it 
> >>to log into the system using either a nonexistant account or as root. 
> >>Also the old system is configured not to allow X to work through SSH, so 
> >>I plan on setting the new system up the same way
> >>
> >>The new system also does not have X installed or configured
> >>
> >>any suggestions you can offer me on ways to accomplish my goal are most 
> >>welcome.
> >>    
> >>
> >
> >One thing that you should do is to change the Protocol 2,1 line to only 
> >have protocol 2.  Protocol 1 has some nasty holes in it.  Don't forget to 
> >restart the sshd service afterwards.
> >
> >  
> >
> Thanks to all who had suggestions about this.
> 
> I was able to set ssh up on this system and get it configured to do what 
> I wanted pretty much.
> 
> I locked down the firewall to only allow traffic in to the system on 
> port 110 and 22
Could I now sniff out the username/password from pop session and then
use credentials to login through ssh? :) Just kidding...

Have a great weekend,
Alex

> 
> the system is protected by a hardware firewall which only allows access 
> to the system thru port 22. I opened the software firewall to allow 110 
> so i could pop the system from our internal network So I can get the 
> system logs sent to root each day.
> 
> I still have some minor stuff to do, but I'm pretty close to being ready 
> with this system.
> 
> Whitebox Linux works very well on this system. :)
> 
> thanks again
> 
> Van