[WBEL-users] does anyone have any suggestions for setting up a
remote SSH server using WB 3.0?
Conor Wynne
weeboy@conorwynne.com
Wed, 29 Sep 2004 19:06:11 +0100
On Wed, 2004-09-29 at 18:42, Benjamin J. Weiss wrote:
> On Wed, 29 Sep 2004, Van Loggins wrote:
>
> > I need to make it as secure as possible.
> >
> > The system needs to be configured to allow 3 different people to connect
> > into it from any IP address on the internet, absolutely no SSH root
> > Access (authorized users will use su to switch to root if needed), and
> > if possible I would like to configure the system so that it will drop an
> > ip address using iptables if more than 4 or 5 attempts are made from it
> > to log into the system using either a nonexistant account or as root.
> > Also the old system is configured not to allow X to work through SSH, so
> > I plan on setting the new system up the same way
> >
> > The new system also does not have X installed or configured
You dont need it, DISPLAY can be exported anywhere you wish.
> >
> > any suggestions you can offer me on ways to accomplish my goal are most
> > welcome.
>
> One thing that you should do is to change the Protocol 2,1 line to only
> have protocol 2. Protocol 1 has some nasty holes in it. Don't forget to
> restart the sshd service afterwards.
Another is to only allow keybased encryption.
On each client do:
ssh-keygen -t dsa
Give it a passphrase, a sufficiently long one, and then:
cat the key to $USER/.ssh/authorized_keys
Once done,edit /etc/ssh/sshd_config
Disable password authentication, and unless the user has a key they
cannot access.
You can then give those users sudo access to any root commands they may
require, rather than giving them 'God' access. I would not trust _any_
su over the internet. Always be paranoid :)
Now they can access from anywhere on the intraweb (any Ipaddress)
Safe as houses :)
Any more suggestions guys?
Regards
Conor