3,704
edits
Changes
From SME Server
Jump to navigationJump to search
mLine 1:
Line 1: + + + + + + Line 7:
Line 13: − + + + Line 14:
Line 22: − *1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and+ − *2. (pre 7.1x) you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port+ Line 24:
Line 32: − *1. (pre 7.1) how to use a custom template fragment to modify sshd_config + − *2. how to change the configuration database to open the desired non-standard port for your sshd server+ − *3. how to use 'expand-template' to re-generate the new sshd_config and masq files+ − *4. how to force the sshd and firewall services to recognize the new configurations+ + + + + + + + − + − /etc/init.d/sshd restart + Line 104:
Line 119: − *1. Run ssh on a non-standard port+ − *2. Choose good passphrases, and enforce them with PAM or other wrappers.+ − *3. Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks.+ − +
ref to AutoBlock and Fail2ban
{{Outdated}}
{{Note box|As of SME9 there is the [http://wiki.contribs.org/AutoBlock AutoBlock] feature and there is the [http://wiki.contribs.org/Fail2ban Fail2ban] contrib.}}
{{Note box | 2013/2/17: SSH password harvesting attacks have been reported on non-standard ports: [http://bsdly.blogspot.ca/2013/02/theres-no-protection-in-high-ports.html There's No Protection In High Ports Anymore]<br /><br />Do not rely solely on changing the listening port when securing ssh on your server. }}
== Changing the default ssh port on SME 7 ==
== Changing the default ssh port on SME 7 ==
Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x!
Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x!
[[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]]
* Update 7/25/07 to point out that this howto is not needed as of SME 7.2
* Updated 5/28/07 to correct minor typos and improve clarity
* [[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]]
In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server:
In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server:
# you must tell sshd what port to listen on in /etc/ssh/sshd_config and
# (pre 7.1x) you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer a need to create a custom template).
As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer a need to create a custom template).
This howto demonstrates
This howto demonstrates
# (pre 7.1) how to use a custom template fragment to modify sshd_config
# how to change the configuration database to open the desired non-standard port for your sshd server
# how to use 'expand-template' to re-generate the new sshd_config and masq files
# how to force the sshd and firewall services to recognize the new configurations
I have inserted the procedure for SME 7.1.3 here and left the old procedure in place below for anyone still running 7.0
I have inserted the procedure for SME 7.1.3 here and left the old procedure in place below for anyone still running 7.0
=== Procedure: SME 7.2 ===
# Login to server-manager on your SME
# Select "Remote access" (under "Security")
# Enter the desired port number in "TCP port for secure shell access"
# Click "Save"
=== Procedure: SME 7.1.3 ===
=== Procedure: SME 7.1.3 ===
==== Summary Version: ====
==== Summary Version: ====
(note: these commands will still work in 7.2)
config setprop sshd TCPPort <newport>
config setprop sshd TCPPort <newport>
signal-event remoteaccess-update
signal-event remoteaccess-update
service sshd restart
See [[#Conclusions|Conclusions]]
See [[#Conclusions|Conclusions]]
This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks:
This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks:
# Run ssh on a non-standard port
# Choose good passphrases, and enforce them with PAM or other wrappers.
# Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks.
Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See [http://forums.contribs.org/index.php?topic=29505.msg123499#msg123499 Guessing passwords])
Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See [http://forums.contribs.org/index.php?topic=29505.msg123499#msg123499 Guessing passwords])
----
----
[[Category:Howto]]
[[Category:Obsolete]]
