Securing SSH access

Kimball Larsen kimball at kimballlarsen.com
Tue Apr 22 12:21:16 MDT 2008


Grant,
On Mar 29, 2008, at 12:09 AM, Grant Robinson wrote:

>
> On Mar 28, 2008, at 9:12 PM, Dave Smith wrote:
>> In the past, I have used /etc/hosts.[deny|allow] to secure my SSH  
>> server by restricting access to a limited number of IP addresses.  
>> This has worked very well for me over the past 3 or 4 years, but  
>> now I need to allow access to a non-enumerable set of client IP  
>> addresses, so I am considering alternate methods. The first method  
>> on my list is to require key-based authentication (no passwords).  
>> Secondly, I'm thinking about using an alternate port (ie, 2222  
>> instead of 22) simply to ward off automated botnet logins.
>>
>> Does anyone see a problem with this? Any other ideas?
>
> Is it non-enumerable because it is too large, or because you can't  
> know all of them ahead of time?
>
> If it is the second, I would suggest what is used on some of the  
> servers I help admin.  We use a dynamic whitelist of IP's that you  
> can add your IP to by visiting an SSL webpage and doing a basic auth  
> over SSL.  If successful, that then adds your IP to the whitelist  
> for accessing SSH and other non-public services.

I wanted to ask you about this - what mechanism do you use for the  
whitelist?  I recently decided to use hosts.allow/deny to allow the  
3-4 IP addresses that need access to our servers.  However, one of the  
IPs is for the cable modem at the home of an employee, and they had to  
reboot the modem and got a new IP.  The next time they tried to  
connect, they had to call me and I had to update the hosts.allow.

I could pretty easily write a script to modify the contents of the  
host.allow, but the syntax for the hosts.allow file is such that it  
would be easier to re-write the file each time, rather than being able  
to just update the permitted IP address.  I'd prefer not to have to do  
this.

So, what do you use for your whitelist?

Thanks.

-- Kimball 
(The former PHB)



More information about the PLUG mailing list