Securing SSH on Debian Sarge

afraser2k · 25 Oct 2006 at 09:04

I've setup my Epia server at home to allow SSH logins on port 22 from a standard user account that I've created. I have setup the ssh_config file to DenyUser root, DenyGroup admins and AllowUser <user account>. I've also set it up to accept connections from my internal network 192.168.0.0, my work network and my workstation here (as I'm not sure how the proxy works yet).

Is there anything else I can do to secure SSH? I've had a few "hacking" attempts since I set it up so I think at the moment I've done all I can. I have a strong password (8 characters, mix of upper/lowercase & numbers) and setup Cron to apt-get update/upgrade every night, though maybe that's a bit risky if anything goes wrong. I could change the listen port on SSH to something else though I doubt it'll do much?

I also have ClamAV running a full scan at midnight as I also have Samba installed to accept from 192.168.0.0.

riddlermarc · 25 Oct 2006 at 09:26

There was a recent thread on this, check out: http://forums.overclockers.co.uk/showthread.php?t=17635752&highlight=ssh

Changing the port did help random attempts for me

ingouk · 25 Oct 2006 at 10:01

you could use ssh keys instead of a password. the keys can be protected by a phasephrase which is harder to bruteforce than a password.

AndrewP · 25 Oct 2006 at 10:47

If you haven't already, you can firewall port 22 off for everywhere except the addresses you will be connecting from, and use SSHD: ip.add.re.ss lines in /etc/hosts.allow, along with denying SSHD: ALL in /etc/hosts.deny.

That what I have on my home server aswell as sshd_config, and reduces ssh login attempts to attempts to connect on port 22 which fail.

afraser2k · 25 Oct 2006 at 18:22

I've changed the port now to something else more vague. I'll have a look at SSH keys for users as well.

Thanks everyone for the help.