Increase security for SSH?

in order to increase security for ssh will be a good ideea to remove generate ssh authorized keys for login and remove password login option?


untill now i used only password login for ssh authentification

 

it is very definitely a good idea
to use strictly keys and disable pw
also change your ssh port to OTHER than 22
see free port ranges in /etc/services
to find a free range
also TEST your NEW setup in another shell BEFORE yoiu LOGOUT !!!

if EVER you should run webmin on your site

delete
all folder files from webmin - just in case you have such
webmin remains open to pw login even if in your system you have all pw disabled !!

 

add a packet filter (ipchains/iptables) or ipfw on freebsd and allow tcp 22 port to your IP blocks only.... also limit ssh login to a specified user for example dude3 and disable direct root logins. this could be easily done in

/etc/ssh/sshd_config

but may vary depending on your linux platform (if it's a custom ssh daemon etc)

 

Additionally, you can restrict only certain users from logging in via SSH
In sshd_config, use this line:

DenyUsers user1 user2 user3 user4

Or you can make it work the other way
AllowUsers user1 user2 user3 user4

 

Yes, that is good. Also make sure to filter ssh bruteforce attacks at firewall level (I recommend OpenBSD operating system with pf firewall as the most reliable solution).

 

I just realized: if you remove BOTH you can`t login anymore.. then you could also shut down sshd

 

If you use keys, absolutely ensure that whatever machine you have the keys on is secure. I haven't heard any stories, but the idea of having Pageant running on a windows machine for days on end is a scary proposition. Also, make sure the keys are password protected, and it's a good password. If you have unprotected keys for maintenance utilities - like remote rsync or log transfers - change the keys with regularity and restrict the accounts to do only what they need to do.

Keep your keys updated, and keep your passwords fresh and secure - Mix numbers and letters, use a couple of special characters, and keep them absurdly long.

And definitely restrict ssh access to a group of known ip addresses.

If you put it up on port 443, you can generally get to your machine from inside the office. Since https connections run on that port, the admins usually leave it open.

Don't under any circumstances allow root login from ssh. That's just silly.

Some people run ssh on all IPs rather than just one. bind it to a single address.

Run programs like chkrootkit, rkhunter, etc. with regularity.