I need to manage several servers remotely via SSH, I'm interested in ways to secure the connection and prevent unauthorised access.
That's sort of what ssh already does. Most people just configure their servers' iptables to allow only ssh and whatever services the server actually provides and that's that.
My thoughts: Limit access to only allow remote connections from our management network via iptables rules. Works but what if our ISP changes our fixed IP, which means we are effectively locked out from all the servers and requires a site visit to update the rules.
Limiting the source of ssh connections helps protect against only two things, as I see it:
1) Attacker logging in directly with a stolen root password
2) An exploit in sshd itself
These generally aren't very high on the threat scale (although there was a potentially exploitable sshd bug discovered last year I don't know of anyone who actually got broken into).
Then again, how likely is having your IP address moved without enough warning to get your servers updated? If it's a serious concern you may want to seriously consider a different ISP.
We also need to provide access to engineers working from home using dialup, etc
What are these servers going to be doing exactly? Do these engineers need to logon to the server directly with ssh, or do they just need to access the other services?
If you do limit connections to being from your management network, can users remotely log into a system on that network? If they can ssh there, then restricting the source for your servers adds even less security, and if they can access those systems with an insecure protocol (like telnet or rlogin), then you lose even more of the benefits of ssh.
Some sort of client certificates to supplement username and password,
Mostly ssh allows certificates to be used in place of a password. These are generally more secure as they tend to be more difficult to steal.
Any ideas and tips appreciated
Most of our suggestions will depend more on how you plan on using the servers. Two tricks I use are:
* adding
account required pam_access.so
to /etc/pam.d/sshd and
-:ALL EXCEPT wheel itgroup:ALL
to /etc/security/access.conf prevents any user who is not in the 'wheel' or 'itgroup' groups from logging on through ssh, even if they provide a valid password.
You can do something similar by putting AllowGroups wheel itgroup in /etc/ssh/sshd_config
Also, for a server that does not have local user accounts, you can place the public keys of your administrators into /root/.ssh/authorized_keys, which will allow them to log onto the server as root without knowing the root password.
