Securing SSH
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Sat Jan 10 03:34:15 UTC 2004
Am Sa, den 10.01.2004 schrieb Roland Venter um 00:52:
> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.
>
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.
>
> We also need to provide access to engineers working from home using dialup,
> etc
>
> Some sort of client certificates to supplement username and password,
>
> Recommendations on securing the SSH daemon etc
>
> Any ideas and tips appreciated
>
> Cheers,
> Roland
Two recommendations from my side:
1) only permit SSH protocol type 2, not 1 as well; 1 is a security risk;
unfortunately the default SSHD setting on Fedora allows the usage of
both
/etc/ssh/sshd_config: change Protocol 2,1 -> Protocol 2
2) permit only public key authentication, deny password authentication;
last is enabled by default in sshd_config
[ you might overthink to bind the SSHD to a different port than 22,
maybe like 8022, to let portscans for the usual suspects not detect it
on standard port - but I think this is more security by obfuscation]
Alexander
--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
More information about the fedora-list
mailing list