[NTLUG:Discuss] SSH

David david at hayes-family.org
Tue Oct 14 20:42:26 CDT 2003 

On Mon, Oct 13, 2003 at 11:15:38PM -0500, severian at pobox.com wrote:
> 1.  I disabled type 1 ssh keys, since type 2 keys seem to be more 
> secure.  Is there any reason to allow type 1 keys?

No good reason at all.  SSH protocol 1 is subject to some sorts of
attacks due to design weaknesses in the protocol.  These have been
addressed in protocol 2.  I use 2 exclusively.

> 2.  I generated my public keys with OpenSSH.  They work fine when I drive 
> the customers Windows machine from my Linix machine at home.  I have not 
> figured out how to import those public keys into Putty.  By googling, I 
> find a bunch of references on how to take keys from Putty to OpenSSH, but 
> that is the wrong direction for me.

> 3.  This Linux machine has a static IP and will stay up 24/7.  I am trying 
> to figure out what I should do to the machine to make it relatively 
> secure.  I've close obvious things like ftp and telnet.  I am tempted to 
> close just about every port except the port I use for SSH, but I wonder if 
> that is too drastic.  I have been reading a number of web sites, but I have 
> not found one that seems authoritative.  Any thoughts?

The standard received wisdom is to close all ports that are not
necessary for your intended use.  In this case, only one port is
useful, SSH's port.  

With Linux, you can go even further than simply closing the unused
ports.  You can firewall the ports you leave open.  That not only
closes down many avenues of potential attack, it narrows the possible
sources of those attacks that remain.  With IP-Tables, try something
like this:

iptables -A INPUT -i eth1 -p tcp -s her-ip-range/her-ip-mask \
	    --dstport 22 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dstport 53 -j ACCEPT
iptables -A INPUT -i eth1 -j DROP

I assume that you're using two separate ethernets, with eth0 being
your internal net, and eth1 being your external connection.  Modify
accordingly.  

The first line permits your remote worker to come in from her home IP
address.  If her ISP has multiple address ranges, repeat the first
line for each different address range and netmask.

The second line permits DNS responses to get back to you.

The third line silently discards all other packets, which will make
your Linux system appear to be turned off.

-- 
David Hayes
david at hayes-family.org

More information about the Discuss mailing list