Tuesday, September 2, 2008

Securing SSH access in Redhat Fedora Core 9

SSH is a powerful tool for administration of your Linux computer. However, that makes the SSH services a target for wannabe hackers. Port 22 is the commonly used and targeted port for SSH services. I changed my SSH configuration to use a non-standard port to throw off these lazy hackers.
Securing SSH in Red Hat Fedora Core 9

* vi /etc/ssh/sshd_config
* Add Port 6940 under where is says #Port 22

#Port 22
Port 6940
#AddressFamily any

* Only Protocol 2 is enabled by default, you should not use Protocol 1 because it is insecure.
* Uncomment PermitRootLogin yes
* Change to PermitRootLogin no

#PermitRootLogin yes
PermitRootLogin no

You will get an SELinux error when you restart the sshd service after these changes. SSH will no longer accept connections on any port. Oddly enough, your existing SSH connection should still work until all these steps are completed.

* /usr/sbin/semanage port -a -t sshd_t -p tcp 6940
* /etc/rc.d/init.d/sshd restart
* audit2allow -M local -l -i /var/log/audit/audit.log > local.te

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp


#============= sshd_t ==============
allow sshd_t self:tcp_socket name_bind;

* The contents of my local.te file are shown above. Do not create this file by hand. It will not work. There is another binary file called local.pp that goes with it. I don’t know what you should do if you have other entries besides what is shown above. I would clear all the SELinux warnings through GNOME, restart sshd again and rerun the audit2allow command shown above.
* /usr/sbin/semodule -i local.pp
o To import new SELinux settings.
* /etc/rc.d/init.d/sshd restart

No comments:

Post a Comment