Sign in to follow this  
Followers 0
Dial Tone

locking down SSH on OSX

3 posts in this topic

I've enabled SSH on an OSX box at home so I can have a secure tunnel when I'm out and about. I made it so only a non admin account can be accessed remotely and gave it a strong password.

I'd also like to change the port it operates on to avoid script kiddies scanning everyone on the subnet for an open port 22 - how would I do this?

P.S. Also, how can I rate limit logon attempts (IE three strikes then ban an IP from logging in for 15 min.)

0

Share this post


Link to post
Share on other sites

I've enabled SSH on an OSX box at home so I can have a secure tunnel when I'm out and about. I made it so only a non admin account can be accessed remotely and gave it a strong password.

I'd also like to change the port it operates on to avoid script kiddies scanning everyone on the subnet for an open port 22 - how would I do this?

P.S. Also, how can I rate limit logon attempts (IE three strikes then ban an IP from logging in for 15 min.)

Change default sshd port (If ssh is enabled by the pref-pane) http://www.macosxhints.com/article.php?story=20050707140439980

The second thing, I haven't done, and it seems that would require a bunch of questionable scripts to work.

Instead, you can use ssh keys instead of typing in a password. Only having a copy of the public key on your login computer will allow you to access the target computer. It all depends on how you expect to access your computer and from where. From work or laptop at school? Ssh keys are fine. A random, locked down computer? Not so much,

Personally, I manually launch sshd from terminal with "sshd -p 666"

0

Share this post


Link to post
Share on other sites

I have a setup with a computer on my home network to tunnel into when i'm at work/out and about.

I left the default port as is but changed the router to open a port in a high number (10000+) and have the translate to 22 on my LAN.

I also setup a dyndns on my router just in case my router crashes so I always am able to connect in when the public IP changes.

As for rate limiting, I am afraid I do not know about this but setting a long, complex password will suffice. (Mine is 20 alphanumeric with special chars (and easy to remember :s))

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0