How do I prevent unauthorized ssh login attempts?

Thu Apr 26 16:52:01 UTC 2007

At 11:22a -0400 on 26 Apr 2007, Hal wrote:
> On Apr 26, 2007, at 8:34 AM, Kevin Hunter wrote:
>> In general, utilizing public/private keys for remote  
>> authentication is /much/ more secure than passwords.
>
> There is some debate about which is more secure
> public/private keys or username/password.

Yep, thank you for that reminder.  :-)  I suppose we now know what  
I'm arguing!

>         With public/private keys anyone who has
>         access to your machine has access to any machine
>         your machine has a key on.

Without a passphrase, I'd agree.  The key word that I made sure to  
put in was 'remote'.  With passphrases, it becomes a two-step  
authentication, one locally to unlock the private key, and one  
remotely to at least confirm that you have the other half of the key.

The other thing that I personally like about public/private key  
combinations is that for the more lazy of us, we don't always check  
the fingerprint matches.  If I decide to log on to a remote machine  
to which I've not logged directly on before (e.g. a company NFS- 
shared home directory), then I can be assured that I'm not falling  
victim to a man-in-the-middle attack; I can blindly accept the  
fingerprint, and if it hangs, I can guess that I'm in the middle of  
an attack attempt, and try another avenue to get where I'm going.

> 	With username/password protection is only as
>         strong as your password.  But your password is
>         needed.

Yep.  I agree.

> So...   Use a firewall which limits access to only machines
>         you are willing to let in.

Yep.  I agree.  See Bill's page about limiting number of connections  
per time frame as well.

>         Use hosts.allow to further restrict access to ssh.

Yep.  I agree.

>         Change the ssh port to something not generally known.

This I place into the category of security-through-obscurity, which I  
don't find a particularly comforting method.  So it adds a single  
extra layer, but if a cracker is worth her/his salt, it's easily  
discovered and, in my opinion, not worth the extra effort it takes me  
to type -p <PORT> everytime.  (Yes, I could use an alias or some  
such, but that's still extra thought-power that I'd rather place  
elsewhere.)

>         In sshd_config use the AllowUsers parameter to allow
>         specific users to have access to ssh.

Yep.  I agree.

I think that in the end, those who are security conscious, such as  
presumably you and me, the specifics of how we do it become largely a  
moot point or highly dependent on what it is that we're securing.  My  
personal preference is to follow the 80/20 rule.  I don't have 100%  
of my time to devote to doing the exact right thing.  But I do have  
20% of my time to devote to doing 80% of the exact right thing.  If/ 
when that becomes a problem, I'll reevaluate my approach.

On that note, you may know better than I do: is there a web page or  
blog somewhere that coalesces all the different things that should be  
done/are currently best-practice to secure a system?  Especially to a  
*BSD noob?

Thanks,

Kevin