From a982385811d6355e47a2852f579df9e3ff3abe14 Mon Sep 17 00:00:00 2001 From: Yunobot Date: Fri, 2 Mar 2018 12:52:42 +0000 Subject: [PATCH 1/5] command to switch over to the new port by restarting SSH. --- security.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/security.md b/security.md index c11c7857..18495215 100644 --- a/security.md +++ b/security.md @@ -41,7 +41,9 @@ PasswordAuthentication no ``` Save and restart SSH daemon. - +```bash +/etc/init.d/ssh restart +``` --- ### Modify SSH port @@ -52,13 +54,17 @@ To prevent SSH connection attempts by robots that scan the Internet for any atte ```bash nano /etc/ssh/sshd_config - -# Search line "Port" and remplace port number (by default 22) by another not used number +``` +**Search line "Port" and remplace port number (by default 22) by another not used number +```bash +# What ports, IPs and protocols we listen for Port 22 # to replace by 9777 for example ``` -Save and restart SSH daemon. - +Save and restart SSH daemon. Switch over to the new port by restarting SSH. +```bash +/etc/init.d/ssh restart +``` Then restart the iptables firewall and close the old port in iptables. ```bash @@ -106,7 +112,9 @@ AllowUsers user_name Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user. Save and restart SSH daemon. - +```bash +/etc/init.d/ssh restart +``` --- ### Disable YunoHost API From 665a1a395a8dc960daa436e987ed33261036032b Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Mon, 11 Jun 2018 15:27:21 +0200 Subject: [PATCH 2/5] [fix] Typo --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 18495215..8a99de80 100644 --- a/security.md +++ b/security.md @@ -55,7 +55,7 @@ To prevent SSH connection attempts by robots that scan the Internet for any atte ```bash nano /etc/ssh/sshd_config ``` -**Search line "Port" and remplace port number (by default 22) by another not used number +**Search line "Port" and replace** port number (by default 22) by another not used number ```bash # What ports, IPs and protocols we listen for Port 22 # to replace by 9777 for example From 32bf9d5ffad5f0d8f1459bd51682b686f8ac6511 Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Mon, 11 Jun 2018 15:35:22 +0200 Subject: [PATCH 3/5] [fix] Add missing firewall rule --- security.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/security.md b/security.md index 8a99de80..b4dcf144 100644 --- a/security.md +++ b/security.md @@ -61,6 +61,11 @@ nano /etc/ssh/sshd_config Port 22 # to replace by 9777 for example ``` +**Open the port** in firewall (you can use -6 option to limit forbid ipv4 connexion) +```bash +yunohost firewall allow TCP 9777 +``` + Save and restart SSH daemon. Switch over to the new port by restarting SSH. ```bash /etc/init.d/ssh restart @@ -70,7 +75,6 @@ Then restart the iptables firewall and close the old port in iptables. ```bash yunohost firewall reload yunohost firewall disallow # port by default 22 -yunohost firewall disallow --ipv6 TCP # for ipv6 ``` **For the next SSH connections ** you need to add the `-p` option followed by the SSH port number. From 8148d89d925a642181512f32b204285a7ae2990a Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Mon, 11 Jun 2018 15:42:41 +0200 Subject: [PATCH 4/5] [enh] Add fr version --- security_fr.md | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/security_fr.md b/security_fr.md index 91d0c980..ca16462f 100644 --- a/security_fr.md +++ b/security_fr.md @@ -50,6 +50,9 @@ PasswordAuthentication no ``` Sauvegardez et relancez le démon SSH. +```bash +systemctl restart ssh +``` --- @@ -61,19 +64,27 @@ Pour éviter des tentatives de connexion SSH par des robots qui scannent tout In ```bash nano /etc/ssh/sshd_config - -# Recherchez la ligne « Port » et remplacez le numéro du port (par défaut 22) par un autre numéro non utilisé +``` +**Recherchez la ligne « Port »** et remplacez le numéro du port (par défaut 22) par un autre numéro non utilisé +```bash Port 22 # à remplacer par exemple par 9777 ``` +**Ouvrez le port** choisi dans le parefeu (vous pouvez utiliser l'option -6 pour interdire la connexion via ipv4) ++```bash ++yunohost firewall allow TCP ++``` + ``` Sauvegardez et relancez le démon SSH. +```bash +systemctl restart ssh +``` Ensuite redémarrez le firewall iptables et fermez l’ancien port dans iptables. ```bash yunohost firewall reload yunohost firewall disallow TCP # port par défaut 22 -yunohost firewall disallow --ipv6 TCP # pour ipv6 ``` **Pour les prochaines connexions SSH** il faudra ajouter l’option -p suivie du numéro de port SSH. @@ -115,6 +126,9 @@ AllowUsers nom_utilisateur Seuls les utilisateurs mentionnés dans la directive AllowUsers seront alors autorisés à se connecter via SSH, ce qui exclut donc l’utilisateur admin. Sauvegardez et relancez le démon SSH. +```bash +systemctl restart ssh +``` --- From feaf58cfbf2f3f8be3ce3c482f1091b579d621af Mon Sep 17 00:00:00 2001 From: "ljf (zamentur)" Date: Mon, 11 Jun 2018 15:43:32 +0200 Subject: [PATCH 5/5] [enh] Use systemctl --- security.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security.md b/security.md index b4dcf144..51beee0a 100644 --- a/security.md +++ b/security.md @@ -42,7 +42,7 @@ PasswordAuthentication no Save and restart SSH daemon. ```bash -/etc/init.d/ssh restart +systemctl restart ssh ``` --- @@ -68,7 +68,7 @@ yunohost firewall allow TCP 9777 Save and restart SSH daemon. Switch over to the new port by restarting SSH. ```bash -/etc/init.d/ssh restart +systemctl restart ssh ``` Then restart the iptables firewall and close the old port in iptables. @@ -117,7 +117,7 @@ Only users listed in the AllowUsers directive will then be allowed to connect vi Save and restart SSH daemon. ```bash -/etc/init.d/ssh restart +systemctl restart ssh ``` ---