On Tuesday 21 September 2004 2:32 pm, Richard Kettlewell wrote:
If you can use public key authentication instead of a password that'd probably improve matters further.
Tis sound advice indeed, however if you really must have a password based login then I strongly suggest that you set PermitRootLogin to no
I can't think of any good reason why you would need to log in directly as root, by eliminating default usernames like root you suddenly make it a lot more difficult for someone to perform a dictionary attack on your system.
The best bit about this is that from the client end ssh behaves exactly the same way as if you have misstyped the root password, it doesn't say root login denied. I get a sort of sadistic satisfaction watching failed login attempts to root (yeh, and even if you knew my password you ain't getting in that way pal)
Another worthwhile modification may be to set Protocol to 2 rather than the too often seen default of 2 and 1 ssh protocol 1 has been broken in the past and AFAIK most clients support the stronger protocol 2
Also you can consider the possibility of running ssh on an obscure port rather than the default of 22, not sure how much value this has any more as there are port scanners that can easily detect that port foo is actually ssh pretending to be something else. But it does probably stop script kiddy subnet hammering appearing in your logs.