Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Change the default SSH server port on 10.3' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Change the default SSH server port on 10.3
Authored by: blakers on Jun 10, '04 08:20:42PM

as a higher-security alternative, you may wish to consider the following scenario (which i use ...):

(1) building an instance of OpenSSH with tcp-wrappers turned on
(2) setting up sshd to run NOT as a StartupItem, or Bootstrap Daemon, but rather solely as an xinetd service
(3) block access to specific clients/networks using tcp-wrappers' /etc/hosts* mechanisms
(4) setup serveer's sshd_config and clients to authenticate via PubkeyAuthentication
(5) generate & exchange ssh keys as necessary, 512-bit or better ...

this should 'harden' your ssh access fairly well

you can, as well, add ipfw rules to allow only access to/from specific hosts/networks ...

richard



[ Reply to This | # ]
TCP Wrappers
Authored by: FiercePanda on Jun 11, '04 12:41:38PM

I'm still using Jaguar, but I didn't need to rebuild sshd to get it to use TCP Wrappers. All I had to do was write an /etc/hosts.allow and hosts.deny. Is this different on Panther?



[ Reply to This | # ]
TCP Wrappers
Authored by: blakers on Jun 11, '04 06:25:42PM

honestly, that's a good question. i dunno ...

i always rebuild openssh with an up-to-date openssl build, and thus configure it with tcp-wrappers, as well as any other config i like.

if tcp-wrappers are already enabled in sshd, then that _should_ be just fine. i'm not sure at all how to check if it is, other than to try it ... and i've replaced my 'virgin install' instances ...

richard



[ Reply to This | # ]