PDA

View Full Version : root and sshd



ms1234
31st July 2007, 06:40 AM
I have disabled remote root login on sshd but still I see from my daily logwatch now and then messages like below:

sshd:
Authentication Failures:
root (79.119.32.88): 2 Time(s)

As far as I understood disabling remote root login would not even allow someone to try or does it still register as a failure?

marcrblevins
31st July 2007, 06:45 AM
How did you disable root to ssh?

I see Authentication Failures in my logwatch gozillion times. It cut shorter when I installed denyhosts.



su -
yum install denyhosts
chkconfig denyhosts on
service denyhosts start

ms1234
31st July 2007, 06:48 AM
I put

PermitRootLogin no

in the sshd_config file. I also have denyhosts running but not as strict apparently :)

William Haller
31st July 2007, 03:36 PM
Modifying the sshd configuration file won't keep people from trying. If you really want a secure sshd setup, then configure your firewall to only allow connections to sshd from known IP addresses and then use RSA verification of hosts and certificates to boot. Then you really don't have much to worry about in leaving root access open if needed.

ms1234
1st August 2007, 07:56 AM
Thanks for the info. What does the RSA verification actually do? Does it require to carry with you some certificate (the other part of the key) or what is it about?

William Haller
1st August 2007, 02:59 PM
If you look in your /etc/ssh directory you will see that when the DSA and RSA keys were generated for your server, there were two public keys created with them. An example is ssh_host_rsa_key.pub.

Rather than do a poor job of explaining how they are used, do a man ssh and a man sshd from the command line. Search for RSA and DSA, known_hosts, id_dsa, and authorized_keys. In a sense the public parts are carried around once (sometimes automatically) and stored on computers you might log in from manually. After that, you can use them as needed.

marcrblevins
1st August 2007, 06:49 PM
I wouldn't bother disabling root login to ssh as long you use very VERY GOOD password.
Fedora defaults to ssh protocol #2. That is more secure than ssh protocol #1.

Just read your logwatch e-mails everyday, it tells you how many times ssh login been sucessful/failed.

ajoian
1st August 2007, 07:00 PM
SSHD is compiled with libwrap so use use /etc/hosts.allow allowing one ip like so :

SSHD: 127.0.0.1
SSHD: 192.168.0.32 or any ip that you whant

and in /etc/hosts.deny put:

SSHD: ALL

After this you will have no other problems, also an iptables firewall is mandatory.

Zotter
1st August 2007, 07:36 PM
SSHD is compiled with libwrap so use use /etc/hosts.allow allowing one ip like so :

SSHD: 127.0.0.1
SSHD: 192.168.0.32 or any ip that you whant

and in /etc/hosts.deny put:

SSHD: ALL

After this you will have no other problems, also an iptables firewall is mandatory.

Or even better yet, automate that process as well as use a shared database of known crackers to prevent them in the first place.

http://denyhosts.sourceforge.net

Denyhosts watches your log file. When it sees any one IP has failed a pre-set number of login attempts (say, 5 failures), the originating IP is automagicly added to /etc/hosts.deny for a pre-determined amount of time. It also reports that IP to s central server. Any one IP gets listed as a persistant attacker, that IP gets shared with other denyhosts users and added to teh /etc/hosts.deny - before the attacker even gets to them. And you can configure how long they get listed, what it takes to get listed, what services are blocked and more. VERY effective.

ajoian
1st August 2007, 09:22 PM
The only line you need is in the /etc/hosts.deny SSHD: ALL ( then you don't need to run denyhosts :) ) this line does the same job as denyhosts and will block automatically any attempts, and since you have a firewall and within that firewall you specify a couple of ip's that are allowed to ssh in then your bulletproof.

bchager
2nd August 2007, 08:32 PM
I have a IEEE 802.11G pci adapter and have down loaded the linux driver. Question! How do I get the card set up in linux? Thanks

ajoian
2nd August 2007, 08:36 PM
First of all take a minute and post in the right section, and then if it is not to hard for you use the search capabilities of the forum, you'll be amazed ... duuh !!!

bob
2nd August 2007, 09:54 PM
Moved to General Support. And, Ajoian, your last post is not called for, nor is it the way we treat members here at FedoraForum.org. Bcharger, you've added a question to someone else's thread.. That's not the way to do it. You should start your own thread to get results. Simply go under Forums, choose the right one and then click "new topic" button.