Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
ssh [2009/03/26 10:49]
a wtf?!
ssh [2016/08/04 09:37] (current)
zagi [other SSH stuff]
Line 3: Line 3:
 Links: Links:
    * [[http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny|Chrooted SSH/SFTP Tutorial (Debian Lenny) ]]    * [[http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny|Chrooted SSH/SFTP Tutorial (Debian Lenny) ]]
 +   * [[http://wiki.centos.org/HowTos/Network/SecuringSSH|Securing SSH (CentOS wiki)]]
  
 ===== banner in ssh ===== ===== banner in ssh =====
Line 15: Line 16:
    * All accesses to this service are logged.  *    * All accesses to this service are logged.  *
    *********************************************    *********************************************
 +
 +http://techgurulive.com/2008/09/15/how-to-protect-ssh-from-multiple-and-parallel-coordinated-attacks/
  
  
Line 35: Line 38:
 done done
 </code> </code>
 +
 +===== How to Fix Offering key in ~/.ssh/known_hosts =====
 +# ssh -o 'StrictHostKeyChecking no' user@host
 +
 +==== Remove the offending ssh key ====
 +<code>
 +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
 +@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
 +Someone could be eavesdropping on you right now (man-in-the-middle attack)!
 +It is also possible that the RSA host key has just been changed.
 +The fingerprint for the RSA key sent by the remote host is
 +a7:a8:f2:97:94:33:58:b7:9d:bc:e0:a6:6b:f7:0a:29.
 +Please contact your system administrator.
 +Add correct host key in /home/ramesh/.ssh/known_hosts to get rid of this message.
 +Offending key in /home/ramesh/.ssh/known_hosts: 6
 +Permission denied (publickey,password).
 +</code>
 +
 +   # sed -i '6d' ~/.ssh/known_hosts
 +
 +<note important>**Note**: Change the **6d** according to the line number shown.</note>
 +
 +**Perl solution**: 
 +   # perl -pi -e 's/\Q$_// if ($. == 6);' ~/.ssh/known_hosts
 +
  
 ====== How to harden your sshd ====== ====== How to harden your sshd ======
Line 128: Line 158:
  
 This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http://www.gnu.org/copyleft/gpl.html .  There is NO WARRANTY. This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http://www.gnu.org/copyleft/gpl.html .  There is NO WARRANTY.
 +
 +
 +===== Fail2Ban ====
 +  /etc/fail2ban/jail.conf\\
 +\\
 +      action = %(action_mw)s\\
 +
 +
 +===== other SSH stuff ======
 +
 +use EF DSCP in ssh:
 +
 +  ~/.ssh/config
 +  IPQoS ef
 +  
 +use jump host
 +
 +  ~/.ssh/config
 +  Host finalhost
 +  HostName finalhost
 +  User userfinal
 +  ProxyCommand ssh proxyuser@proxyhost nc %h %p
 +
 +then one can simply type
 +
 +  ssh finalhost 
 +to ssh via proxyhost to final destination host
 +
 +
 +using same options for multiple hosts in same domain
 +
 +   Host switch* router* myrouter* cmts*
 +
 +no need to type FQDN for switch-somethingsomething
ssh.1238060951.txt.gz ยท Last modified: 2009/05/25 00:34 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready