Securing SSH access

Lonnie Olson lists at kittypee.com
Fri Apr 4 14:03:26 MDT 2008


Steve Morrey wrote:
> One other thing that I like to do is to move SSH to some port way off in the
> boondocks something like 3145.
> It of course is not the only thing you should do, but it does make for a
> good and easy to use first step.
> It pretty much stops the common dictionary attacker dead in their tracks.
> Another good option is to use a port knock daemon, so a series of ports must
> be pinged in a certain order before the SSH daemon even starts to listen.
> This way ONLY you know how to get in, even if your computer (which contains
> your keys), decides to go for a walk..

I personally hate changing the port SSH listens on.  It adds great 
complexity to day to day usage, and the benefit is small.  You either 
have to specify the port number on every call to ssh, or add entries 
into your ~/.ssh/config file for each host that you changed.  Really 
annoying.

IMHO the proper steps to secure SSH access include:
* Audit all user accounts with passwords set and enforce good password 
policy
* Disable root login via ssh "PermitRootLogin no"
* If possible, disable password authentication altogether "UsePAM no"
* Otherwise, consider limiting the connection rate to ssh on the 
firewall, or implement a log watcher to block repeated auth failures.
* If possible use firewall rules to limit access to specific addresses 
or networks
* Consider using AllowUsers, AllowGroups, DenyUsers, DenyGroups in 
sshd_config to limit who is allowed to use SSH.

Many of these steps are good general practice with all internet facing 
services.  Following them will keep you safe without incurring much, if 
any, annoyance penalty.

--lonnie



More information about the PLUG mailing list