Securing SSH access
lists at kittypee.com
Fri Apr 4 14:03:26 MDT 2008
Steve Morrey wrote:
> One other thing that I like to do is to move SSH to some port way off in the
> boondocks something like 3145.
> It of course is not the only thing you should do, but it does make for a
> good and easy to use first step.
> It pretty much stops the common dictionary attacker dead in their tracks.
> Another good option is to use a port knock daemon, so a series of ports must
> be pinged in a certain order before the SSH daemon even starts to listen.
> This way ONLY you know how to get in, even if your computer (which contains
> your keys), decides to go for a walk..
I personally hate changing the port SSH listens on. It adds great
complexity to day to day usage, and the benefit is small. You either
have to specify the port number on every call to ssh, or add entries
into your ~/.ssh/config file for each host that you changed. Really
IMHO the proper steps to secure SSH access include:
* Audit all user accounts with passwords set and enforce good password
* Disable root login via ssh "PermitRootLogin no"
* If possible, disable password authentication altogether "UsePAM no"
* Otherwise, consider limiting the connection rate to ssh on the
firewall, or implement a log watcher to block repeated auth failures.
* If possible use firewall rules to limit access to specific addresses
* Consider using AllowUsers, AllowGroups, DenyUsers, DenyGroups in
sshd_config to limit who is allowed to use SSH.
Many of these steps are good general practice with all internet facing
services. Following them will keep you safe without incurring much, if
any, annoyance penalty.
More information about the PLUG