[[ssh]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
ssh [2009/03/21 20:58]
a 		ssh [2015/10/30 14:52]
zagi [other]
Line 3: Line 3:
 Links: Links:
    * [[http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny|Chrooted SSH/SFTP Tutorial (Debian Lenny) ]]    * [[http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny|Chrooted SSH/SFTP Tutorial (Debian Lenny) ]]
 +   * [[http://wiki.centos.org/HowTos/Network/SecuringSSH|Securing SSH (CentOS wiki)]]
  
 ===== banner in ssh ===== ===== banner in ssh =====
Line 15: Line 16:
    * All accesses to this service are logged.  *    * All accesses to this service are logged.  *
    *********************************************    *********************************************
 +
 +http://techgurulive.com/2008/09/15/how-to-protect-ssh-from-multiple-and-parallel-coordinated-attacks/
 +
  
  
Line 29: Line 33:
 scp ~/.ssh/id_dsa.pub $i scp ~/.ssh/id_dsa.pub $i
 ssh $i "mkdir .ssh ; ssh $i "mkdir .ssh ;
-chown 700 .ssh ;+chmod 700 .ssh ;
 cat ~/id_dsa.pub >> ~/.ssh/authorized_keys ; cat ~/id_dsa.pub >> ~/.ssh/authorized_keys ;
 chmod 644 /.ssh/authorized_keys;" chmod 644 /.ssh/authorized_keys;"
 done done
 </code> </code>
 +
 +===== How to Fix Offering key in ~/.ssh/known_hosts =====
 +# ssh -o 'StrictHostKeyChecking no' user@host
 +
 +==== Remove the offending ssh key ====
 +<code>
 +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
 +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 +Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 +It is also possible that the RSA host key has just been changed.
 +The fingerprint for the RSA key sent by the remote host is
 +a7:a8:f2:97:94:33:58:b7:9d:bc:e0:a6:6b:f7:0a:29.
 +Please contact your system administrator.
 +Add correct host key in /home/ramesh/.ssh/known_hosts to get rid of this message.
 +Offending key in /home/ramesh/.ssh/known_hosts: 6
 +Permission denied (publickey,password).
 +</code>
 +
 +   # sed -i '6d' ~/.ssh/known_hosts
 +
 +<note important>**Note**: Change the **6d** according to the line number shown.</note>
 +
 +**Perl solution**: 
 +   # perl -pi -e 's/\Q$_// if ($. == 6);' ~/.ssh/known_hosts
 +
  
 ====== How to harden your sshd ====== ====== How to harden your sshd ======
Line 127: Line 158:
  
 This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http://www.gnu.org/copyleft/gpl.html .  There is NO WARRANTY. This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http://www.gnu.org/copyleft/gpl.html .  There is NO WARRANTY.
 +
 +
 +===== Fail2Ban ====
 +  /etc/fail2ban/jail.conf\\
 +\\
 +      action = %(action_mw)s\\
 +
 +
 +===== other SSH stuff ======
 +
 +use EF DSCP in ssh:
 +
 +  ~/.ssh/config
 +  IPQoS ef
 +  
 +use jump host
 +
 +  ~/.ssh/config
 +  Host finalhost
 +  HostName finalhost
 +  User userfinal
 +  ProxyCommand ssh proxyuser@proxyhost nc %h %p
 +
 +then one can simply type
 +
 +  ssh finalhost 
 +to ssh via proxyhost to final destination host
 +  
ssh.txt ยท Last modified: 2016/08/04 09:37 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready