Klaas01
28/02/18, 18:07
Instellingen SSH.conf bestand, een heel mooi punt die #Spyder01aanhaalde.
Inderdaad heb ik wel de poort aangepast, maar dit blijkt een lap middel te zijn. Er blijkt veel meer gedaan te worden om dat alles veilig te maken.
Heel mooi, en ik ben dan ook eens gaan zoeken op internet, en kwam dan ook op de deze website terecht (https://www.ssh.com/ssh/sshd_config/#sec-AuthorizedKeysFile-location)
IUk ben aan het lezen, en haalde SSH.conf bestand erbij om te vergelijken. EN dan raak ik helemaal van slag door de stroom van informatie die daar staat beschreven. En dan al zeker diverse benamingen die ik niet eens ken. Voor de duidelijkheid zal ik mijn SSH.conf bestand hier plaatsen, wat er zoals is aangepast.
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PORTNUMBER)
#
Port 1456
#AddressFamily (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AddressFamily) any
#ListenAddress (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ListenAddress)
#ListenAddress (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ListenAddress) ::
# The default requires explicit activation of protocol 1
#Protocol (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=Protocol) 2
# HostKey for protocol version 1
#HostKey (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=HostKey) /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=HostKey) /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KeyRegenerationInterval) 1h
#ServerKeyBits (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ServerKeyBits) 1024
# Ciphers and keying
#RekeyLimit (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=RekeyLimit) default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=SyslogFacility) AUTH
SyslogFacility AUTHPRIV
LogLevel VERBOSE
# Authentication:
#LoginGraceTime (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=LoginGraceTime) 2m
PermitRootLogin forced-commands-only
#StrictModes (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=StrictModes) yes
MaxAuthTries 2
MaxSessions 10
#RSAAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=RSAAuthentication) yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile /etc/ssh/authorized-keys/%u
#AuthorizedPrincipalsFile (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AuthorizedPrincipalsFile) none
#AuthorizedKeysCommand (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AuthorizedKeysCommand) none
#AuthorizedKeysCommand (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AuthorizedKeysCommand) User nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=RhostsRSAAuthentication) no
# similar for protocol version 2
#HostbasedAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=HostbasedAuthentication) no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=IgnoreUserKnownHosts) no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=IgnoreRhosts) yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PasswordAuthentication) yes
#PermitEmptyPasswords (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PermitEmptyPasswords) no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ChallengeResponseAuthentication) yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosAuthentication) no
#KerberosOrLocalPasswd (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosOrLocalPasswd) yes
#KerberosTicketCleanup (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosTicketCleanup) yes
#KerberosGetAFSToken (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosGetAFSToken) no
#KerberosUseKuserok (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosUseKuserok) yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GSSAPIStrictAcceptorCheck) yes
#GSSAPIKeyExchange (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GSSAPIKeyExchange) no
#GSSAPIEnablek5users (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GSSAPIEnablek5users) no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
AllowAgentForwarding yes
#AllowTcpForwarding (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AllowTcpForwarding) yes
#GatewayPorts (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GatewayPorts) no
X11Forwarding yes
#X11DisplayOffset (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=X11DisplayOffset) 10
#X11UseLocalhost (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=X11UseLocalhost) yes
#PermitTTY (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PermitTTY) yes
#PrintMotd (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PrintMotd) yes
#PrintLastLog (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PrintLastLog) yes
#TCPKeepAlive (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=TCPKeepAlive) yes
#UseLogin (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=UseLogin) no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PermitUserEnvironment) no
#Compression (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=Compression) delayed
#ClientAliveInterval (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ClientAliveInterval) 0
#ClientAliveCountMax (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ClientAliveCountMax) 3
#ShowPatchLevel (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ShowPatchLevel) no
UseDNS no
#PidFile (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PidFile) /var/run/sshd.pid
#MaxStartups (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=MaxStartups) 10:30:100
PermitTunnel no
#ChrootDirectory (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ChrootDirectory) none
#VersionAddendum (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=VersionAddendum) none
# no default banner path
Banner /etc/banner
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=Match) User anoncvs
# X11Forwarding no
AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Goed vele op de website van SSH, komen niet eens voor in het bestand van directadmin. Dan wordt er gesproken over Ciphers
Specified the ciphers allowed. The ciphers supported in OpenSSH 7.3
Goed begrijp er totaal niets meer van wat ik nu wel en absoluut niet moet doen.
Zou iemand mij kunnen helpen met deze situatie, dit stel ik ongelooflijk op prijs.
Inderdaad heb ik wel de poort aangepast, maar dit blijkt een lap middel te zijn. Er blijkt veel meer gedaan te worden om dat alles veilig te maken.
Heel mooi, en ik ben dan ook eens gaan zoeken op internet, en kwam dan ook op de deze website terecht (https://www.ssh.com/ssh/sshd_config/#sec-AuthorizedKeysFile-location)
IUk ben aan het lezen, en haalde SSH.conf bestand erbij om te vergelijken. EN dan raak ik helemaal van slag door de stroom van informatie die daar staat beschreven. En dan al zeker diverse benamingen die ik niet eens ken. Voor de duidelijkheid zal ik mijn SSH.conf bestand hier plaatsen, wat er zoals is aangepast.
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PORTNUMBER)
#
Port 1456
#AddressFamily (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AddressFamily) any
#ListenAddress (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ListenAddress)
#ListenAddress (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ListenAddress) ::
# The default requires explicit activation of protocol 1
#Protocol (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=Protocol) 2
# HostKey for protocol version 1
#HostKey (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=HostKey) /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=HostKey) /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KeyRegenerationInterval) 1h
#ServerKeyBits (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ServerKeyBits) 1024
# Ciphers and keying
#RekeyLimit (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=RekeyLimit) default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=SyslogFacility) AUTH
SyslogFacility AUTHPRIV
LogLevel VERBOSE
# Authentication:
#LoginGraceTime (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=LoginGraceTime) 2m
PermitRootLogin forced-commands-only
#StrictModes (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=StrictModes) yes
MaxAuthTries 2
MaxSessions 10
#RSAAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=RSAAuthentication) yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile /etc/ssh/authorized-keys/%u
#AuthorizedPrincipalsFile (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AuthorizedPrincipalsFile) none
#AuthorizedKeysCommand (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AuthorizedKeysCommand) none
#AuthorizedKeysCommand (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AuthorizedKeysCommand) User nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=RhostsRSAAuthentication) no
# similar for protocol version 2
#HostbasedAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=HostbasedAuthentication) no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=IgnoreUserKnownHosts) no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=IgnoreRhosts) yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PasswordAuthentication) yes
#PermitEmptyPasswords (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PermitEmptyPasswords) no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ChallengeResponseAuthentication) yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosAuthentication) no
#KerberosOrLocalPasswd (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosOrLocalPasswd) yes
#KerberosTicketCleanup (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosTicketCleanup) yes
#KerberosGetAFSToken (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosGetAFSToken) no
#KerberosUseKuserok (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=KerberosUseKuserok) yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GSSAPIStrictAcceptorCheck) yes
#GSSAPIKeyExchange (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GSSAPIKeyExchange) no
#GSSAPIEnablek5users (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GSSAPIEnablek5users) no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
AllowAgentForwarding yes
#AllowTcpForwarding (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=AllowTcpForwarding) yes
#GatewayPorts (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=GatewayPorts) no
X11Forwarding yes
#X11DisplayOffset (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=X11DisplayOffset) 10
#X11UseLocalhost (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=X11UseLocalhost) yes
#PermitTTY (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PermitTTY) yes
#PrintMotd (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PrintMotd) yes
#PrintLastLog (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PrintLastLog) yes
#TCPKeepAlive (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=TCPKeepAlive) yes
#UseLogin (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=UseLogin) no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PermitUserEnvironment) no
#Compression (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=Compression) delayed
#ClientAliveInterval (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ClientAliveInterval) 0
#ClientAliveCountMax (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ClientAliveCountMax) 3
#ShowPatchLevel (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ShowPatchLevel) no
UseDNS no
#PidFile (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=PidFile) /var/run/sshd.pid
#MaxStartups (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=MaxStartups) 10:30:100
PermitTunnel no
#ChrootDirectory (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=ChrootDirectory) none
#VersionAddendum (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=VersionAddendum) none
# no default banner path
Banner /etc/banner
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match (https://www.webhostingtalk.nl/usertag.php?do=list&action=hash&hash=Match) User anoncvs
# X11Forwarding no
AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Goed vele op de website van SSH, komen niet eens voor in het bestand van directadmin. Dan wordt er gesproken over Ciphers
Specified the ciphers allowed. The ciphers supported in OpenSSH 7.3
Goed begrijp er totaal niets meer van wat ik nu wel en absoluut niet moet doen.
Zou iemand mij kunnen helpen met deze situatie, dit stel ik ongelooflijk op prijs.