add sshd_config lines
This commit is contained in:
parent
b898de2fcd
commit
d7cd5dc5a2
14
README.md
14
README.md
|
@ -8,4 +8,16 @@ Luckily opennsh made autossh redundant because it already offers built-in monito
|
|||
## Disclaimer
|
||||
|
||||
When you follow this guide, you can make otherwise protected services accessible to the public Internet (when using `ssh -R`). This might be an attack vector into your protected network.
|
||||
When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).
|
||||
When you don't set restrictions properly, an attacker might gain access to your server, either via direct shell access or through forwarding the port of your unprotected service (e.g. a database on localhost).
|
||||
|
||||
## Server configuration
|
||||
|
||||
### `/etc/ssh/sshd_config`
|
||||
|
||||
Add or change the following lines:
|
||||
```
|
||||
GatewayPorts clientspecified
|
||||
ClientAliveInterval 5
|
||||
ClientAliveCountMax 3
|
||||
```
|
||||
This allows any user to forward his local ports to an unprivileged public port on the server (`ssh -R`). You have to restrict this late on through the `permitlisten` variable in the `authorized_keys file`. The other two variables specify how often the server should send keep alive messages and how many missed messages from the client it will tolerate. The same has to be set on the client side, but there it can be done as a parameter.
|
Loading…
Reference in New Issue