Increase security for SSH?

Discussion in 'Security' started by jalex, Nov 6, 2006.

0
  1. #1
    in order to increase security for ssh will be a good ideea to remove generate ssh authorized keys for login and remove password login option?


    untill now i used only password login for ssh authentification
     
    jalex, Nov 6, 2006 IP
  2. hans

    hans Well-Known Member

    Messages:
    2,923
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #2
    it is very definitely a good idea
    to use strictly keys and disable pw
    also change your ssh port to OTHER than 22
    see free port ranges in /etc/services
    to find a free range
    also TEST your NEW setup in another shell BEFORE yoiu LOGOUT !!!

    if EVER you should run webmin on your site

    delete
    all folder files from webmin - just in case you have such
    webmin remains open to pw login even if in your system you have all pw disabled !!
     
    hans, Nov 8, 2006 IP
  3. lkj

    lkj Peon

    Messages:
    729
    Likes Received:
    17
    Best Answers:
    0
    Trophy Points:
    0
    #3
    add a packet filter (ipchains/iptables) or ipfw on freebsd and allow tcp 22 port to your IP blocks only.... also limit ssh login to a specified user for example dude3 and disable direct root logins. this could be easily done in

    /etc/ssh/sshd_config

    but may vary depending on your linux platform (if it's a custom ssh daemon etc)
     
    lkj, Nov 8, 2006 IP
  4. deviataz

    deviataz Active Member

    Messages:
    179
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    75
    #4
    Additionally, you can restrict only certain users from logging in via SSH
    In sshd_config, use this line:

    DenyUsers user1 user2 user3 user4

    Or you can make it work the other way
    AllowUsers user1 user2 user3 user4
     
    deviataz, Jan 14, 2007 IP
  5. Mihai

    Mihai Active Member

    Messages:
    567
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    60
    #5
    Yes, that is good. Also make sure to filter ssh bruteforce attacks at firewall level (I recommend OpenBSD operating system with pf firewall as the most reliable solution).
     
    Mihai, Jan 14, 2007 IP
  6. Mihai

    Mihai Active Member

    Messages:
    567
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    60
    #6

    I just realized: if you remove BOTH you can`t login anymore.. then you could also shut down sshd :eek: :D
     
    Mihai, Jan 14, 2007 IP
  7. nevetS

    nevetS Evolving Dragon

    Messages:
    2,544
    Likes Received:
    211
    Best Answers:
    0
    Trophy Points:
    135
    #7
    If you use keys, absolutely ensure that whatever machine you have the keys on is secure. I haven't heard any stories, but the idea of having Pageant running on a windows machine for days on end is a scary proposition. Also, make sure the keys are password protected, and it's a good password. If you have unprotected keys for maintenance utilities - like remote rsync or log transfers - change the keys with regularity and restrict the accounts to do only what they need to do.

    Keep your keys updated, and keep your passwords fresh and secure - Mix numbers and letters, use a couple of special characters, and keep them absurdly long.

    And definitely restrict ssh access to a group of known ip addresses.

    If you put it up on port 443, you can generally get to your machine from inside the office. Since https connections run on that port, the admins usually leave it open.

    Don't under any circumstances allow root login from ssh. That's just silly.

    Some people run ssh on all IPs rather than just one. bind it to a single address.

    Run programs like chkrootkit, rkhunter, etc. with regularity.
     
    nevetS, Feb 5, 2007 IP