Am Sa, den 10.01.2004 schrieb Roland Venter um 00:52: > I need to manage several servers remotely via SSH, I'm interested in ways to > secure the connection and prevent unauthorised access. > > My thoughts: > Limit access to only allow remote connections from our management network > via iptables rules. Works but what if our ISP changes our fixed IP, which > means we are effectively locked out from all the servers and requires a site > visit to update the rules. > > We also need to provide access to engineers working from home using dialup, > etc > > Some sort of client certificates to supplement username and password, > > Recommendations on securing the SSH daemon etc > > Any ideas and tips appreciated > > Cheers, > Roland Two recommendations from my side: 1) only permit SSH protocol type 2, not 1 as well; 1 is a security risk; unfortunately the default SSHD setting on Fedora allows the usage of both /etc/ssh/sshd_config: change Protocol 2,1 -> Protocol 2 2) permit only public key authentication, deny password authentication; last is enabled by default in sshd_config [ you might overthink to bind the SSHD to a different port than 22, maybe like 8022, to let portscans for the usual suspects not detect it on standard port - but I think this is more security by obfuscation] Alexander -- Alexander Dalloz | Enger, Germany PGP key valid: made 13.07.1999 PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
