Bolting down an SSH server

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Bolting down an SSH server

Post by Ambush Commander »

I've currently started running an SSH server on my Windows box. Since this means that anyone who breaks into it will have full access to my machine, I'd like some security recommendations. Steps I have already taken:

1. Strong password
2. Public/Private key authentication enabled for when I have my USB key

I haven't been able to disable the password authentication, perhaps I need to reboot.
User avatar
DaveTheAve
Forum Contributor
Posts: 385
Joined: Tue Oct 03, 2006 2:25 pm
Location: 127.0.0.1
Contact:

Post by DaveTheAve »

change SSH port to a random port or another service port that you will never use. Such as a Windows service port on a Linux Machine.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I was considering doing that. Is it really that effective?
User avatar
DaveTheAve
Forum Contributor
Posts: 385
Joined: Tue Oct 03, 2006 2:25 pm
Location: 127.0.0.1
Contact:

Post by DaveTheAve »

User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Ambush Commander wrote:I was considering doing that. Is it really that effective?
It can be, since you can set up a honeypot on port 22 although I'm not sure how you do that in windows unless you have a router which can send port 22 to a cheap linux box.

If this were linux I'd tell you to disable root logons but I'm not sure if there's an equivalent setting for windows as there's no su to switch to admin.

Turn of password authentication and only allow keys. It doesn't disabled typing a password but it does disable sending a plain-text password.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Eh, I have no interest in setting up a honeypot: I wouldn't know how to administer it! A different port it is... I wonder which one to pick.
If this were linux I'd tell you to disable root logons but I'm not sure if there's an equivalent setting for windows as there's no su to switch to admin.
Nope. In Windows has almost no notion of permissions (Besides a few basic protected folders), and my main account is Admin (there's really no way to get Windows to work otherwise). Not precisely stellar security practice, but it'll have to do.
Turn of password authentication and only allow keys. It doesn't disabled typing a password but it does disable sending a plain-text password.
How does that work?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Ambush Commander wrote:Eh, I have no interest in setting up a honeypot: I wouldn't know how to administer it! A different port it is... I wonder which one to pick.
If this were linux I'd tell you to disable root logons but I'm not sure if there's an equivalent setting for windows as there's no su to switch to admin.
Nope. In Windows has almost no notion of permissions (Besides a few basic protected folders), and my main account is Admin (there's really no way to get Windows to work otherwise). Not precisely stellar security practice, but it'll have to do.
Turn of password authentication and only allow keys. It doesn't disabled typing a password but it does disable sending a plain-text password.
How does that work?
It just asks you to accept a generated DSA/RSA key if you don't have one. It then uses that key to authenticate against. You can generate your own and place in id_rsa if you wanted to and copy id_rsa.pub to the other server's authorized keys file then disable everything except public key logons if you're sure you'll never need to access the server from varying locations.
Post Reply