Line 1: |
Line 1: |
| + | {{Outdated}} |
| + | |
| + | {{Note box|As of SME9 there is the [http://wiki.contribs.org/AutoBlock AutoBlock] feature and there is the [http://wiki.contribs.org/Fail2ban Fail2ban] contrib.}} |
| + | |
| + | {{Note box | 2013/2/17: SSH password harvesting attacks have been reported on non-standard ports: [http://bsdly.blogspot.ca/2013/02/theres-no-protection-in-high-ports.html There's No Protection In High Ports Anymore]<br /><br />Do not rely solely on changing the listening port when securing ssh on your server. }} |
| + | |
| == Changing the default ssh port on SME 7 == | | == Changing the default ssh port on SME 7 == |
| | | |
Line 7: |
Line 13: |
| Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x! | | Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x! |
| | | |
− | [[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]] | + | * Update 7/25/07 to point out that this howto is not needed as of SME 7.2 |
| + | * Updated 5/28/07 to correct minor typos and improve clarity |
| + | * [[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]] |
| | | |
| | | |
Line 14: |
Line 22: |
| In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server: | | In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server: |
| | | |
− | *1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and
| + | # you must tell sshd what port to listen on in /etc/ssh/sshd_config and |
− | *2. you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
| + | # (pre 7.1x) you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port |
| + | |
| + | As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer a need to create a custom template). |
| + | |
| + | |
| + | SME 7 uses the special db values 'TCPPort' and UDPPort' to control the iptables configuration instead of in the 'masq' templates as was done on 5.6 - 6.0x. See http://wiki.contribs.org/DB_Variables_Configuration#IPTables_firewall_.28masq.29 for more information. |
| | | |
− | As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer an need to create a custom template).
| + | This howto demonstrates |
| | | |
| + | # (pre 7.1) how to use a custom template fragment to modify sshd_config |
| + | # how to change the configuration database to open the desired non-standard port for your sshd server |
| + | # how to use 'expand-template' to re-generate the new sshd_config and masq files |
| + | # how to force the sshd and firewall services to recognize the new configurations |
| | | |
− | SME 7 keeps the firewall information in the 'configuration' database instead of in the 'masq' templates as was done on 5.6 - 6.0x; this howto demonstrates | + | I have inserted the procedure for SME 7.1.3 here and left the old procedure in place below for anyone still running 7.0 |
| | | |
− | *1. how to use a custom template fragment to modify sshd_config (Does not apply to SME 7.1.3)
| + | === Procedure: SME 7.2 === |
− | *2. how to change the configuration database to open the desired non-standard port for your sshd server
| |
− | *3. how to use 'expand-template' to re-generate the new sshd_config and masq files
| |
− | *4. how to force the sshd and firewall services to recognize the new configurations
| |
| | | |
− | I have inserted the procedure for SME 7.1.3 at below, and left the old procedure in place for anyone still running 7.0
| + | # Login to server-manager on your SME |
| + | # Select "Remote access" (under "Security") |
| + | # Enter the desired port number in "TCP port for secure shell access" |
| + | # Click "Save" |
| | | |
| === Procedure: SME 7.1.3 === | | === Procedure: SME 7.1.3 === |
| ==== Summary Version: ==== | | ==== Summary Version: ==== |
− | | + | (note: these commands will still work in 7.2) |
| config setprop sshd TCPPort <newport> | | config setprop sshd TCPPort <newport> |
| signal-event remoteaccess-update | | signal-event remoteaccess-update |
− | /etc/init.d/sshd restart | + | service sshd restart |
| See [[#Conclusions|Conclusions]] | | See [[#Conclusions|Conclusions]] |
| | | |
Line 102: |
Line 119: |
| This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks: | | This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks: |
| | | |
− | *1. Run ssh on a non-standard port
| + | # Run ssh on a non-standard port |
− | *2. Choose good passphrases, and enforce them with PAM or other wrappers.
| + | # Choose good passphrases, and enforce them with PAM or other wrappers. |
− | *3. Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks.
| + | # Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks. |
| | | |
| Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See [http://forums.contribs.org/index.php?topic=29505.msg123499#msg123499 Guessing passwords]) | | Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See [http://forums.contribs.org/index.php?topic=29505.msg123499#msg123499 Guessing passwords]) |
| | | |
| ---- | | ---- |
− | [[Category:Howto]] | + | [[Category:Obsolete]] |