I've currently started running an SSH server on my Windows box. Since this means that anyone who breaks into it will have full access to my machine, I'd like some security recommendations. Steps I have already taken:
1. Strong password
2. Public/Private key authentication enabled for when I have my USB key
I haven't been able to disable the password authentication, perhaps I need to reboot.
Bolting down an SSH server
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- DaveTheAve
- Forum Contributor
- Posts: 385
- Joined: Tue Oct 03, 2006 2:25 pm
- Location: 127.0.0.1
- Contact:
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- DaveTheAve
- Forum Contributor
- Posts: 385
- Joined: Tue Oct 03, 2006 2:25 pm
- Location: 127.0.0.1
- Contact:
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
It can be, since you can set up a honeypot on port 22 although I'm not sure how you do that in windows unless you have a router which can send port 22 to a cheap linux box.Ambush Commander wrote:I was considering doing that. Is it really that effective?
If this were linux I'd tell you to disable root logons but I'm not sure if there's an equivalent setting for windows as there's no su to switch to admin.
Turn of password authentication and only allow keys. It doesn't disabled typing a password but it does disable sending a plain-text password.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Eh, I have no interest in setting up a honeypot: I wouldn't know how to administer it! A different port it is... I wonder which one to pick.
Nope. In Windows has almost no notion of permissions (Besides a few basic protected folders), and my main account is Admin (there's really no way to get Windows to work otherwise). Not precisely stellar security practice, but it'll have to do.If this were linux I'd tell you to disable root logons but I'm not sure if there's an equivalent setting for windows as there's no su to switch to admin.
How does that work?Turn of password authentication and only allow keys. It doesn't disabled typing a password but it does disable sending a plain-text password.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
It just asks you to accept a generated DSA/RSA key if you don't have one. It then uses that key to authenticate against. You can generate your own and place in id_rsa if you wanted to and copy id_rsa.pub to the other server's authorized keys file then disable everything except public key logons if you're sure you'll never need to access the server from varying locations.Ambush Commander wrote:Eh, I have no interest in setting up a honeypot: I wouldn't know how to administer it! A different port it is... I wonder which one to pick.
Nope. In Windows has almost no notion of permissions (Besides a few basic protected folders), and my main account is Admin (there's really no way to get Windows to work otherwise). Not precisely stellar security practice, but it'll have to do.If this were linux I'd tell you to disable root logons but I'm not sure if there's an equivalent setting for windows as there's no su to switch to admin.
How does that work?Turn of password authentication and only allow keys. It doesn't disabled typing a password but it does disable sending a plain-text password.