openssh concerns
jhell
jhell at DataIX.net
Tue Oct 6 20:18:26 UTC 2009
On Tue, 6 Oct 2009 11:06 +0200, des@ wrote:
> "Peter" <fbsdq at peterk.org> writes:
>> Or combine that with portknocking - Only open port 22 after X number of
>> attempts to connect on port 1234:
>
> As has already been explained, that's no good if you need to ssh in
from
> behind a corporate firewall that blocks everything except 20, 22, 80 and
> 443.
>
> DES
>
Don't forget about making good use of the following configuration
turntables. You can enforce a default policy of deny by just saying that a
user must be in the group of AllowGroups. This does enforce a little bit
more of a administrative overhead but that's for your staff and policy to
decide.
AllowGroups
AllowUsers
DenyGroups
DenyUsers
Collect tried user names and don't allow those to be added to your system
as legitimate users is another approach. Configuring pw(8) and adduser(8)
for this will be a good exercise.
--
%{----------------------------------------------------+
| dataix.net!jhell 2048R/89D8547E 2009-09-30 |
| BSD since FreeBSD 4.2 Linux since Slackware 2.1 |
| 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E |
+----------------------------------------------------%}
More information about the freebsd-security
mailing list