Difference between pages "Collect mails from other accounts" and "Configuring and securing sshd"
imported>ThorstenStaerk |
imported>ChrisM (New page: All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in yo...) |
||
Line 1: | Line 1: | ||
− | + | All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config. | |
− | + | = Disable X11Forwarding = | |
− | + | If you do not want to use X11 forwarding, you should disable it altogether by setting <pre>X11Forwarding No</pre>. While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed. | |
− | |||
− | |||
− | |||
− | = | + | = Putting sshd on a non-standard port = |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config: | |
− | + | <pre>Port port | |
− | + | ListenAddress 0.0.0.0:port</pre> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | '''Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.''' | |
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 19:38, 17 October 2008
All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config.
Disable X11Forwarding
If you do not want to use X11 forwarding, you should disable it altogether by setting
X11Forwarding No
. While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed.
Putting sshd on a non-standard port
This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config:
Port port ListenAddress 0.0.0.0:port
Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.