rsa
Sshd_config Settings Rundown
Feb 3rd
- Image via Wikipedia
First change the port you are using. Do not use port 22 on servers that have internet connectivity. This is the first port that will be checked by countless robots searching the internet for vulnerabilities. Change the port to whatever, and then use the -p option in your ssh login attemt. Then make sure root login is disabled, remove the pound symbol from the front of the option line. If you can you should definitely allow rsa key login. Once you get your encryption key setup disable password login by setting the respective line to “no”. If you cannot enable keyed logins for any reason what soever, you should enabled ip based restrictions either by iptables or by tcp wrappers. Iptables is configured with the iptables command, and the tcp wrappers are configured in /etc/hosts.allow. You can reduce the time limit for password login, but sometimes this causes problems with remote users connecting; sometimes it takes a couple of extra seconds for people to login. Make the time limit around 30 seconds. If people are still having trouble connecting check the /var/log/auth.log file for more information about the failed login attempt. Maybe the password is too complicated? Before reducing the complexity of the password implement fail2ban, which will automatically block ip addresses based on failed login attempts, therefore you can reduce the complexity of the password without substantially reducing system security.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=e60bad9b-01fa-477c-8d93-931cacb700d4)
Server Security – Passwordless Remote Login
Jan 24th
Based on some recent experience do not ever allow password remote login. There are two things you chould apply to your ssh server. Implement a RSA key login, and implement fail2ban. Fail2ban will modify iptables (firewall) to block the ip address of offending attempts to connect. It will do so for your apache, ssh, ftp, and other servers. It is a separate program, not a wrapper, and it monitors log files for login attempts. You set the max login attempts (fails) in the jail.conf file in /etc/fail2ban. The combination of RSA keys and fail2ban will ensure a secure and accessible system, which is a must of the system is to be open to outside internet connections.
Secure Remote Connections – Tech Support
Jan 23rd
If you are going to be providing technical support, to be professional you should implemented a secure ssh connection. There is no excuse to potentially give terminal access to a password snooper. Using ssh the terminal commands themselves are encrypted, so disabling password login truly minimized risks of a security breach. Using a RSA key passwords are not transmitted and the login process is truly encrypted. Disabled password login by changing its option to “no” in the sshd configuration file. The config file is located in /etc/ssh/sshd_config. The default authorized key file is located in the users home directory. ~/.ssh/authorized_keys2. You need to place the id_rsa.pub information in the authorized_keys2 file. You can open the file manually or your can cat it in. You can also replace the entire authorized_keys2 file with id_rsa.pub; but maybe you want multiple authorized keys so use cat or editing manually may be better.
Create a new RSA key with:
ssh-keygen
It will put the new id_rsa and id_rsa.pub in ~/.ssh. When logging in as a client the default location for the id_rsa is in ~/.ssh, but you can place it anywhere using the ssh -i option. Then include the path to the id_rsa key. An example is:
ssh -i /home/user/Desktop/id_rsa user@host
2048 RSA Automatic SSH Login
Jun 13th
There is no reason to be hassled to enter login usernames and password when accessing a terminal via ssh. SSH has built in rsa key authentication mechanisms. First build the private and public keys:
ssh-keygen
This will create your private and public keys in the .ssh folder in your home folder. You then copy the public key to the .ssh folder on the target system. Use scp for this.
scp .ssh/id_rsa.pub 192.168.0.100:.ssh/authorized_keys2
Change the ip address of the target system accordingly. Then login to the target system and change the ssh daemons configuration file.
sudo nano /etc/ssh/sshd_config
Scroll to the password authentication line, remove the pound sign, and make sure its set to no. Also make sure the daemon uses the authorized_keys2 file as the public key reference. Save the file, exit, and reset the ssh daemon.
sudo /etc/init.d/ssh restart
Now your ssh connections will be automated, and powerfully encrypted. You can remove the id_rsa.pub key from your .ssh directory for total security. Now the public key is only on the target system, and the only way to gain access to that system is via direct login or via the private key on your remote system. You can also transfer the private key to a usb drive, and delete the id_rsa key from the .ssh directory. When connecting via ssh use the -i option to locate the key on the usb drive. For example:
ssh -i /media/drive/id_rsa 192.168.0.100
Now the entire session will only work with the usb key in the drive. Your usb drive will literally be a key, without it there is no access to the target system whatsoever. Also do not loose the usb key, otherwise the only way to access the system will be directly via a terminal.
Laptop, Desktop, Old or New Computer Anything can be a Server
Aug 27th
A Server is indiscriminate. A Server is merely software, and powerful software exists to turn any computer, even old Pentium 2 computers with 400 Megahertz, into roaring website servers. The combination of specific software enables websites to be broadcast on the internet. Additional software can enable special features, such as PHP for dynamic website content, and Mysql for convenient information storage. Besides website servers, there are other technologies. A FTP server allows the transfer of file, yes the lil icons on your desktop that you double click to open 
. FTP is very convenient, and powerful, but it is not secured via encryption. SSH performs as FTP, but has strong RSA or DSA encryption. SSH can also be used literally as a directory server; with SSHFS you can mount partitions, from anyone SSH server on the internet, to a directory on your local computer. There are others types of servers called VNC, which allows the internet broadcasting of X11 information. X11 is the Linux defacto monitor/display managment application. X11 is what broadcast information to your laptop/desktop monitor. By transferring X11 information, you can effectively display the desktop, of one computer, on any other computer on the internet; the server will be viewed as a windows on the client, which is the typical, and standard, function of VNC server software. An old famous, and rather popular type of server is the internet proxy server. SQUID is an extremely popular piece of server software. With it any computer on the internet can connect to the SQUID server, and in turn connect to the internet. By connecting to the internet, through the proxy server, all information, being sent via the web browser, appears to originate from the server computers ip address. A mail server is software that comes in two parts. First is the MTA: Mail Transport Agent. This piece of software isn’t really a server, and its purpose it to accept, and transmit emails. It is also responsible for the routing of emails, to particular domain names, to particular users on the local machine. Then steps in a program like Dovecot or Postfix. These software packages allow the remote login of a client, that has a verified local account, for the purpose of retreiving emails routed, and stored, by the Sendmail MTA. Dovecot is the server, and Sendmail can be considered the facilitator, because with mail transport Dovecot would have nothing to do all day 
DNS server provide domain name to ip adress conversion. Its really as simple as that; you punch a couple of words into your web browser, then one of many DNS servers on the internet automatically convert the words into an IP address. Your web browser is then forwarded to the IP address provided, and access to the web server, on port 80, is provided. Cheers to your server projects .
SSH-Agent Debian Etch
Aug 17th
An out of the box Debian Etch installation comes with the standard ssh client. Although users that are accustomed to using preshared RSA or DSA keys, and loading them with the SSH-Agent command, you will have to install the following package: sudo apt-get install ssh-askpass After installing this package, your ssh connection scripts will work as expected
