# Security recommendations



## ikbendeman (Jan 21, 2014)

I just got back home and saw logs on my computer, though they are not in my dmesg so I can't see them in X but basically, first someone is tried to  connect to my computer numerous times using username "admin," which of course is not the user name of my admin account on my router, however, then surprisingly they tried to login as root through ssh. I use ssh remotely so I don't want to completely disable it; I can obviously change the port but does anyone have any recommendations besides strengthening my password and changing my ssh port?


----------



## nanotek (Jan 21, 2014)

`vi /etc/ssh/sshd_config` and set the following options:


```
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
AllowUsers $REGULARUSER
```

Adjust $REGULARUSER to your normal non-privileged user account. You can further tighten restrictions by restricting access to an IP for $REGULARUSER, such as:

```
AllowUsers $REGULARUSER@192.168.1.12/24
```

Issue `service sshd reload` for changes to take effect.

Create your pubkey for authentication:
`ssh-keygen -b 4096 -t rsa`

Authorize it:
`cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys`

Copy ~/.ssh/id_rsa to a USB or `scp` it to your client system.

See: http://syn.bsdbox.co/2013/12/29/basic-system-hardening/ for more details.


----------



## kpa (Jan 21, 2014)

I have pubkey authentication set up as @nanotek here showed. I do allow root logins over ssh(1) but only on the local LAN and not as root but as the alias user toor. Here's the relevant parts of my config:


```
...
AllowUsers kimmo toor
ChallengeResponseAuthentication no
UseDNS no

Match Address ::1,127.0.0.0/8,10.71.0.0/16,2001:abcd:nnn:8321::/64,2001:abcd:mmm::/48
    PasswordAuthentication yes # leave this out if LAN users are not trusted
    PermitRootLogin yes
```

Allowed users are restricted to just my unprivileged user and toor. However, logging in as toor is not possible by default because PermitRootLogin defaults to no and is enabled only for the addresses listed in the Match Address -section.


----------



## SirDice (Jan 21, 2014)

Besides the obvious tweaks to sshd(8) you should also have a look at security/sshguard and security/py-fail2ban.


----------



## worldi (Jan 21, 2014)

Moving to another port is a good way to improve the signal-to-bot-noise ratio. This way you know it's something personal when they keep hammering your sshd at TCP/39821.


----------

