Securing SSH
Bevan C. Bennett
bevan at fulcrummicro.com
Sat Jan 10 01:08:16 UTC 2004
Roland Venter wrote:
> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.
That's sort of what ssh already does. Most people just configure their
servers' iptables to allow only ssh and whatever services the server
actually provides and that's that.
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.
Limiting the source of ssh connections helps protect against only two
things, as I see it:
1) Attacker logging in directly with a stolen root password
2) An exploit in sshd itself
These generally aren't very high on the threat scale (although there was
a potentially exploitable sshd bug discovered last year I don't know of
anyone who actually got broken into).
Then again, how likely is having your IP address moved without enough
warning to get your servers updated? If it's a serious concern you may
want to seriously consider a different ISP.
> We also need to provide access to engineers working from home using dialup,
> etc
What are these servers going to be doing exactly? Do these engineers
need to logon to the server directly with ssh, or do they just need to
access the other services?
If you do limit connections to being from your management network, can
users remotely log into a system on that network? If they can ssh there,
then restricting the source for your servers adds even less security,
and if they can access those systems with an insecure protocol (like
telnet or rlogin), then you lose even more of the benefits of ssh.
> Some sort of client certificates to supplement username and password,
Mostly ssh allows certificates to be used in place of a password. These
are generally more secure as they tend to be more difficult to steal.
> Any ideas and tips appreciated
Most of our suggestions will depend more on how you plan on using the
servers. Two tricks I use are:
* adding
account required pam_access.so
to /etc/pam.d/sshd and
-:ALL EXCEPT wheel itgroup:ALL
to /etc/security/access.conf prevents any user who is not in the 'wheel'
or 'itgroup' groups from logging on through ssh, even if they provide a
valid password.
You can do something similar by putting
AllowGroups wheel itgroup
in /etc/ssh/sshd_config
Also, for a server that does not have local user accounts, you can place
the public keys of your administrators into /root/.ssh/authorized_keys,
which will allow them to log onto the server as root without knowing the
root password.
More information about the fedora-list
mailing list