[opensource-announce] MEETING [04/09/09]: Effective sshd_config

[James Dinan]

Great topic!

Somebody from the club asked me a while back how I get a banner message
to display before the ssh login prompt and I don't think I ever
responded.  For example, how to get:

----

Welcome to myserver.com!

Unauthorized access prohibited.  Seriously,
if you don't belong here get lost.  This
machine is protected by mutant pirate ninjas
who will totally wreck you if you try to
break in.

password:

----

To do this, add this line to /etc/ssh/sshd_config:

Banner /etc/issue.net

And then modify issue.net with your banner message.  If you'd rather not
use issue.net then you could create a separate issue.ssh and use that
instead.

Another great ssh trick to cover would be how to use ssh as a dynamic
SOCKS proxy.  To do this, you run this ssh command to establish a
dynamic tunnel:

$ ssh -D local_port proxy_host

Then you can configure your program (eg firefox or thunderbird) to use
localhost:local_port as a SOCKS proxy.  All of your traffic will travel
through the secure tunnel and be serviced by proxy_host.  This is an
easy way to get better security when you're on an unsecured network (eg
accessing your credit card account on airport/hotel wireless).  There's
a nice gui little program called gSTM for managing your SSH tunnels.
For more info on how it works, check out the ssh manpage.

Best,
 ~Jim.

Aaron Joseph wrote:
> 
> This Thursday [4/9/09] Alek will be giving a talk on how to secure your
> shell server through effective configuration.
> 
> Tricks will include:
> --Disable root login
> --Public/private keys
> --Disable X11 forwarding
> --Login attempts/timeout
> --Only allow certain usernames to login
> --Only allow certain groups to login
> --Interaction with PAM
> --Allow by ip address
> --Block by ip address
> 
> *****IMPORTANT*****
> We will be in a new room this week. The meeting will be at 7pm in Dreese
> 317.
> 
> Sorry for the late notice.
> 
> --Aaron Joseph