[PLUG] Denyhosts, Cracking Attempts, and Intensity
Quentin Hartman
qhartman at gmail.com
Fri Jun 5 18:27:48 UTC 2009
On Fri, Jun 5, 2009 at 9:16 AM, MJang <mike at mommabears.com> wrote:
> FWIW, I disable root logins for SSH on my /etc/ssh/sshd_config with
>
> PermitRootLogin no
>
An interesting trick that I use to make it so that backup tools like Dirvish
remain useful is:
PermitRootLogin without-password
That (somewhat counter-intuitively) allows root to login w/ a private key,
but not a password. So, my automated backup scripts from my backup server
can still get in w/ root privs, but no password-based root auth is allowed.
You can also specify particular legal IPs on the allow users line if you
want to double-up:
AllowUsers root at 1.2.3.4
A couple finer points of SSHD config I didn't learn about nearly soon
enough.
I still don't know how to "wildcard" AllowUsers though. So I can say
something like "Allow in all valid users, but joe only from a certain IP,
and root only from a certain IP" without having to add every user to the
line. Should look into that again...
QH
More information about the PLUG
mailing list