Line 7: |
Line 7: |
| Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x! | | Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x! |
| | | |
− | [[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]] | + | * Updated 5/28/07 to correct minor typos and improve clarity |
| + | * [[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]] |
| | | |
| | | |
Line 14: |
Line 15: |
| In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server: | | In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server: |
| | | |
− | *1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and
| + | # you must tell sshd what port to listen on in /etc/ssh/sshd_config and |
− | *2. (pre 7.1x) you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
| + | # (pre 7.1x) you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port |
| | | |
| As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer a need to create a custom template). | | As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer a need to create a custom template). |
Line 24: |
Line 25: |
| This howto demonstrates | | This howto demonstrates |
| | | |
− | *1. (pre 7.1) how to use a custom template fragment to modify sshd_config
| + | # (pre 7.1) how to use a custom template fragment to modify sshd_config |
− | *2. how to change the configuration database to open the desired non-standard port for your sshd server
| + | # how to change the configuration database to open the desired non-standard port for your sshd server |
− | *3. how to use 'expand-template' to re-generate the new sshd_config and masq files
| + | # how to use 'expand-template' to re-generate the new sshd_config and masq files |
− | *4. how to force the sshd and firewall services to recognize the new configurations
| + | # how to force the sshd and firewall services to recognize the new configurations |
| | | |
| I have inserted the procedure for SME 7.1.3 here and left the old procedure in place below for anyone still running 7.0 | | I have inserted the procedure for SME 7.1.3 here and left the old procedure in place below for anyone still running 7.0 |
Line 104: |
Line 105: |
| This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks: | | This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks: |
| | | |
− | *1. Run ssh on a non-standard port
| + | # Run ssh on a non-standard port |
− | *2. Choose good passphrases, and enforce them with PAM or other wrappers.
| + | # Choose good passphrases, and enforce them with PAM or other wrappers. |
− | *3. Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks.
| + | # Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks. |
| | | |
| Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See [http://forums.contribs.org/index.php?topic=29505.msg123499#msg123499 Guessing passwords]) | | Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See [http://forums.contribs.org/index.php?topic=29505.msg123499#msg123499 Guessing passwords]) |