Re: Securing SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Sa, den 10.01.2004 schrieb Roland Venter um 00:52:
> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.
> 
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.
> 
> We also need to provide access to engineers working from home using dialup,
> etc
> 
> Some sort of client certificates to supplement username and password,
> 
> Recommendations on securing the SSH daemon etc
> 
> Any ideas and tips appreciated
> 
> Cheers,
> Roland

Two recommendations from my side:

1) only permit SSH protocol type 2, not 1 as well; 1 is a security risk;
unfortunately the default SSHD setting on Fedora allows the usage of
both
  /etc/ssh/sshd_config: change Protocol 2,1 -> Protocol 2

2) permit only public key authentication, deny password authentication;
last is enabled by default in sshd_config

[ you might overthink to bind the SSHD to a different port than 22,
maybe like 8022, to let portscans for the usual suspects not detect it
on standard port - but I think this is more security by obfuscation]

Alexander


-- 
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416  14CD E197 6E88 ED69 5653




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux