Re: need an efficient and secure sshd_config



2009/7/14 J. Bakshi <bakshi12@xxxxxxxxx>:
On Mon, 13 Jul 2009 10:00:52 +0200
matteo filippetto <matteo.filippetto@xxxxxxxxx> wrote:

2009/7/12 J. Bakshi <bakshi12@xxxxxxxxx>:
Dear list,

I am running openssh-server __1:5.1p1-5+b1 on a remote debian box.
There are a no. of online docs on sshd configuration. I am afraid to
say that even reading a no. of such tutorial I am still confused. I
am looking for a sshd_config file which is both strict about
security as well as efficient to control its client. Like it should
force the client to have compression, it should survive with poor
internet, and other good features which can make it a good ssh
server.

Could any one please suggest such sshd_config ?

Here is mine

```````````````
Port 47015
Protocol 2
PermitRootLogin no
PasswordAuthentication no
UsePAM yes
X11Forwarding no
``````````

thanks


Hi,

maybe you can read this discussion

http://www.governmentsecurity.org/forum/index.php?showtopic=6051

and for sure take a lokk to the official documentation

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

Bye


Thanks for your response but I have not found yet what I'm looking for. I need the configuration which actually suppress the hostname and the domain/IP on client side. client will only be prompted for password. The second thing the sshd should allow the client to be connected even half an hour with out executing any command. Any such configuration in openssh ?

Thanks


Hi,

if you read this
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

you will find some options like

Banner The contents of the specified file are sent to the remote user
before authentication is allowed. If the argument is ``none''
then no banner is displayed. This option is only available for
protocol version 2. By default, no banner is displayed.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem-
porarily, and some people find it annoying. On the other hand,
if TCP keepalives are not sent, sessions may hang indefinitely on
the server, leaving ``ghost'' users and consuming server re-
sources.

The default is ``yes'' (to send TCP keepalive messages), and the
server will notice if the network goes down or the client host
crashes. This avoids infinitely hanging sessions.

To disable TCP keepalive messages, the value should be set to
``no''.


and for client (http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5)

ServerAliveCountMax
Sets the number of server alive messages (see below) which may be
sent without ssh(1) receiving any messages back from the server.
If this threshold is reached while server alive messages are be-
ing sent, ssh will disconnect from the server, terminating the
session. It is important to note that the use of server alive
messages is very different from TCPKeepAlive (below). The server
alive messages are sent through the encrypted channel and there-
fore will not be spoofable. The TCP keepalive option enabled by
TCPKeepAlive is spoofable. The server alive mechanism is valu-
able when the client or server depend on knowing when a connec-
tion has become inactive.

The default value is 3. If, for example, ServerAliveInterval
(see below) is set to 15 and ServerAliveCountMax is left at the
default, if the server becomes unresponsive, ssh will disconnect
after approximately 45 seconds. This option applies to protocol
version 2 only.

ServerAliveInterval
Sets a timeout interval in seconds after which if no data has
been received from the server, ssh(1) will send a message through
the encrypted channel to request a response from the server. The
default is 0, indicating that these messages will not be sent to
the server. This option applies to protocol version 2 only.

TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
to the other side. If they are sent, death of the connection or
crash of one of the machines will be properly noticed. However,
this means that connections will die if the route is down tem-
porarily, and some people find it annoying.

The default is ``yes'' (to send TCP keepalive messages), and the
client will notice if the network goes down or the remote host
dies. This is important in scripts, and many users want it too.

To disable TCP keepalive messages, the value should be set to
``no''.


Bye
--
Matteo Filippetto



Relevant Pages

  • Re: .Net Scalability problem
    ... LoadRunner will peak out a server with a few virtual users. ... To get an idea of load, ... Fire off the test client and watch the number of ... > So I think that the MTC generate concurrent connection and per ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Connection lost at same time every hour (sometimes)
    ... After making the two following alterations on the server the problem seems ... After analyze your ipconfig on SBS and client, ... Then, other connection is good, ...
    (microsoft.public.windows.server.sbs)
  • Re: server disconnection - very often
    ... Reason of permanent popups is VMware server aplication on clients. ... Run CEICW to configure the network of SBS: ... Two network adapters - manual router connection to broadband ... Uninstall VMware on client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Lan setup 2 nic
    ... The external nic only has TCP/IP enabled. ... Ipconfig of the server is looking good, but the client is still missing the ... > connection so we have a 2 nic with router setup now. ...
    (microsoft.public.windows.server.sbs)
  • Re: Regular disconnections from remote web workplace
    ... I can connect to office server and all office clients from home at all times ... be physically working right up until the connection is lost. ... If I enter http://companyip from a client I receive the login screen for the ... Click Services tab and select Hide All Microsoft Services and Disable ...
    (microsoft.public.windows.server.sbs)