Securing SSH access

[Kimball Larsen]

On Apr 22, 2008, at 2:55 PM, Lonnie Olson wrote:

> On Tue, 2008-04-22 at 11:55 -0600, Steve Morrey wrote:
>> Or just set it to something way off in the boonies but be consistent
>> about
>> it.
>> For instance almost all of my servers have SSH at 2774 which if you
>> look at
>> it on a phone turns out to be 2SSH or my secondary SSH port.  How  
>> hard
>> is it
>> to type ssh myserver.com -luser -p2774
>> For the extra bonus of rarely (or never) seeing a dictionary attack I
>> think
>> the extra 6 keystrokes are totally worth it.  But you do have to use
>> something you can remember and use it consistently
>
> First of all, I see tons of extra keystrokes in there.
> Most of the time I just type "ssh server".  That's it, username is the
> same everywhere, and the port is always the default.  It would take an
> additional *7* characters to change the port " -p2774", don't forget
> that space, it still counts.  Also compare the 7 extra characters in
> relation to the total command.  "ssh server" 10 chars vs. "ssh  
> server -p
> 2774" 17 chars.  Almost a 60% increase in the length of the  
> command.  To
> me, 60% is *not* negligible.
>
> Also consider the number of times a day I actually run ssh, about  
> 30-60
> times a day on average.  It is a big deal.
>
> So I see two options to reduce the work to a one time operation:
> 1. setup my ~/.ssh/config file for all possible contingencies
> or
> 2. Secure my public ssh servers very carefully.
>
> I'll leave it on port 22, and just practice good security.
>
> --lonnie
>

60% increase?  Boy, that sounds serious.

How much would you pay to learn how to have a 90%+ reduction in the  
total characters you have to type to access that remote server?

Want to know my secret?

For servers I frequently access, I just create a one-liner shell  
script in my path.  For instance, there are 2 servers at the office  
and 2 at my home that I frequently get into.  The commands to get into  
them are as follows:

jake
elwood
holodeck
bridge

The average length of these commands is (4 + 6 + 8 + 6) / 4 = 6.    
That's only 6 measly keystrokes to get into one of these servers!   
Imagine, if I had named them something like aa, bb, cc, dd, it would  
only be 2 keystrokes / server.  Huge reduction!  Or what if I had gone  
completely crazy and named the scripts with a single character!  Wow!

No additional *7* characters each time, and I cut out the ssh (don't  
forget the space, it counts!), but I still connect on a non-standard  
port, from an authorized host, using public key encryption to auth.

So, with a little shell script, let's see just how much of that  
tedious old typing we can eliminate:

Old way:
ssh -l admin -p2774 208.100.143.156 = 35 characters

New way:
a = 1 character

35 vs 1 character - that's close to a 98% reduction in the number of  
characters you need to type!
Think of the savings!  Think of the efficiency!  Think of the reduced  
costs to your life because you don't get carpal tunnel!

-- Kimball