[WBEL-users] does anyone have any suggestions for setting up a remote SSH server using WB 3.0?

Conor Wynne weeboy@conorwynne.com
Wed, 29 Sep 2004 19:06:11 +0100

On Wed, 2004-09-29 at 18:42, Benjamin J. Weiss wrote:
> On Wed, 29 Sep 2004, Van Loggins wrote:
> > I need to make it as secure as possible.
> > 
> > The system needs to be configured to allow 3 different people to connect 
> > into it from any IP address on the internet, absolutely no SSH root 
> > Access (authorized users will use su to switch to root if needed), and 
> > if possible I would like to configure the system so that it will drop an 
> > ip address using iptables if more than 4 or 5 attempts are made from it 
> > to log into the system using either a nonexistant account or as root. 
> > Also the old system is configured not to allow X to work through SSH, so 
> > I plan on setting the new system up the same way
> > 
> > The new system also does not have X installed or configured

You dont need it, DISPLAY can be exported anywhere you wish. 

> > 
> > any suggestions you can offer me on ways to accomplish my goal are most 
> > welcome.
> One thing that you should do is to change the Protocol 2,1 line to only 
> have protocol 2.  Protocol 1 has some nasty holes in it.  Don't forget to 
> restart the sshd service afterwards.

Another is to only allow keybased encryption. 
On each client do: 
ssh-keygen -t dsa 
Give it a passphrase, a sufficiently long one, and then:
cat the key to $USER/.ssh/authorized_keys

Once done,edit /etc/ssh/sshd_config
Disable password authentication, and unless the user has a key they
cannot access. 

You can then give those users sudo access to any root commands they may
require, rather than giving them 'God' access. I would not trust _any_
su over the internet. Always be paranoid :)

Now they can access from anywhere on the intraweb (any Ipaddress)
Safe as houses :)

Any more suggestions guys?