If you are still running telnet instead of ssh, you should take a break from this manual and change this. Ssh should be used for all remote logins instead of telnet. In an age where it is easy to sniff Internet traffic and get clear-text passwords, you should use only protocols which use cryptography. So, perform an
apt-get install ssh on your system now.
Encourage all the users on your system to use ssh instead of telnet, or even better, uninstall telnet/telnetd. In addition you should avoid logging into the system using ssh as root and use alternative methods to become root instead, like su or sudo. Finally, the
sshd_config file, in
/etc/ssh, should be modified to increase security as well:
*
ListenAddress 192.168.0.1
Have ssh listen only on a given interface, just in case you have more than one (and do not want ssh available on it) or in the future add a new network card (and don't want ssh connections from it).
*
Quote:
PermitRootLogin no
Try not to permit Root Login wherever possible. If anyone wants to become root via ssh, now two logins are needed and the root password cannot be brute forced via SSH.
Be careful to add an user before you do this if you are not sitting in the front of the server and your server is remotely somewhere else, you don't want to get locked out.login ssh with a normal user and perform su login.
*
Code:
Port 666 or ListenAddress 192.168.0.1:666
Change the listen port, so the intruder cannot be completely sure whether a sshd daemon runs (be forewarned, this is security by obscurity).
*
Quote:
PermitEmptyPasswords no
Empty passwords make a mockery of system security.
*
Code:
AllowUsers alex ref me@somewhere
Allow only certain users to have access via ssh to this machine. user@host can also be used to restrict a given user from accessing only at a given host.
*
Code:
AllowGroups wheel admin
Allow only certain group members to have access via ssh to this machine. AllowGroups and AllowUsers have equivalent directives for denying access to a machine. Not surprisingly they are called "DenyUsers" and "DenyGroups".
*
Code:
PasswordAuthentication yes
It is completely your choice what you want to do. It is more secure to only allow access to the machine from users with ssh-keys placed in the ~/.ssh/authorized_keys file. If you want so, set this one to "no".
*
Disable any form of authentication you do not really need, if you do not use, for example RhostsRSAAuthentication, HostbasedAuthentication, KerberosAuthentication or RhostsAuthentication you should disable them, even if they are already by default (see the manpage sshd_config(5)).
*
Code:
Protocol 2
Login
Register
FAQ
Search
