Securing SSH access
kimball at kimballlarsen.com
Tue Apr 22 15:32:25 MDT 2008
On Apr 22, 2008, at 2:55 PM, Lonnie Olson wrote:
> On Tue, 2008-04-22 at 11:55 -0600, Steve Morrey wrote:
>> Or just set it to something way off in the boonies but be consistent
>> For instance almost all of my servers have SSH at 2774 which if you
>> look at
>> it on a phone turns out to be 2SSH or my secondary SSH port. How
>> is it
>> to type ssh myserver.com -luser -p2774
>> For the extra bonus of rarely (or never) seeing a dictionary attack I
>> the extra 6 keystrokes are totally worth it. But you do have to use
>> something you can remember and use it consistently
> First of all, I see tons of extra keystrokes in there.
> Most of the time I just type "ssh server". That's it, username is the
> same everywhere, and the port is always the default. It would take an
> additional *7* characters to change the port " -p2774", don't forget
> that space, it still counts. Also compare the 7 extra characters in
> relation to the total command. "ssh server" 10 chars vs. "ssh
> server -p
> 2774" 17 chars. Almost a 60% increase in the length of the
> command. To
> me, 60% is *not* negligible.
> Also consider the number of times a day I actually run ssh, about
> times a day on average. It is a big deal.
> So I see two options to reduce the work to a one time operation:
> 1. setup my ~/.ssh/config file for all possible contingencies
> 2. Secure my public ssh servers very carefully.
> I'll leave it on port 22, and just practice good security.
60% increase? Boy, that sounds serious.
How much would you pay to learn how to have a 90%+ reduction in the
total characters you have to type to access that remote server?
Want to know my secret?
For servers I frequently access, I just create a one-liner shell
script in my path. For instance, there are 2 servers at the office
and 2 at my home that I frequently get into. The commands to get into
them are as follows:
The average length of these commands is (4 + 6 + 8 + 6) / 4 = 6.
That's only 6 measly keystrokes to get into one of these servers!
Imagine, if I had named them something like aa, bb, cc, dd, it would
only be 2 keystrokes / server. Huge reduction! Or what if I had gone
completely crazy and named the scripts with a single character! Wow!
No additional *7* characters each time, and I cut out the ssh (don't
forget the space, it counts!), but I still connect on a non-standard
port, from an authorized host, using public key encryption to auth.
So, with a little shell script, let's see just how much of that
tedious old typing we can eliminate:
ssh -l admin -p2774 220.127.116.11 = 35 characters
a = 1 character
35 vs 1 character - that's close to a 98% reduction in the number of
characters you need to type!
Think of the savings! Think of the efficiency! Think of the reduced
costs to your life because you don't get carpal tunnel!
More information about the PLUG