Bill Gurley's not wrong about anything he wrote concerning sshd
configuration or tcp wrappers, but I'l throw in my $0.02
I would make the listen port non-standard. That's settable in
sshd_config. I note that my /var/log/authlog shows lots of intrusion
attempts on my Solaris boxes that are connected on port 22, but no
attempts on the nonstandard port.
I would also make hosts.allow more restrictive - as restrictive as
possible. I have for example only
sshd: LOCAL, .chem.siu.edu, (and my home IP)
so that ssh is the only service available and only to the users. I
also use the Linksys boxes in front of each host. I got burned too
often by a daemon I didn't know was running. This way, you can leave
telnet and ftp running and transfer stuff back and forth between
machines on the same side of the Linksys. As I recall, a data
transfer to a PC from a Sun is about 600x faster with ftp than scp or sftp.
Best holiday wishes to you all.
Bill
William C. Stevens, Ph.D. Director
Nuclear Magnetic Resonance Facility
Southern Illinois University
Carbondale, IL 62901
618-453-6498 voice / -6408 fax / 521-9892 cell
http://opie.nmr.siu.edu
Received on Thu Dec 21 2006 - 21:35:56 MST