How do I prevent unauthorized ssh login attempts?
Kevin Hunter
hunteke at earlham.edu
Thu Apr 26 16:52:01 UTC 2007
At 11:22a -0400 on 26 Apr 2007, Hal wrote:
> On Apr 26, 2007, at 8:34 AM, Kevin Hunter wrote:
>> In general, utilizing public/private keys for remote
>> authentication is /much/ more secure than passwords.
>
> There is some debate about which is more secure
> public/private keys or username/password.
Yep, thank you for that reminder. :-) I suppose we now know what
I'm arguing!
> With public/private keys anyone who has
> access to your machine has access to any machine
> your machine has a key on.
Without a passphrase, I'd agree. The key word that I made sure to
put in was 'remote'. With passphrases, it becomes a two-step
authentication, one locally to unlock the private key, and one
remotely to at least confirm that you have the other half of the key.
The other thing that I personally like about public/private key
combinations is that for the more lazy of us, we don't always check
the fingerprint matches. If I decide to log on to a remote machine
to which I've not logged directly on before (e.g. a company NFS-
shared home directory), then I can be assured that I'm not falling
victim to a man-in-the-middle attack; I can blindly accept the
fingerprint, and if it hangs, I can guess that I'm in the middle of
an attack attempt, and try another avenue to get where I'm going.
> With username/password protection is only as
> strong as your password. But your password is
> needed.
Yep. I agree.
> So... Use a firewall which limits access to only machines
> you are willing to let in.
Yep. I agree. See Bill's page about limiting number of connections
per time frame as well.
> Use hosts.allow to further restrict access to ssh.
Yep. I agree.
> Change the ssh port to something not generally known.
This I place into the category of security-through-obscurity, which I
don't find a particularly comforting method. So it adds a single
extra layer, but if a cracker is worth her/his salt, it's easily
discovered and, in my opinion, not worth the extra effort it takes me
to type -p <PORT> everytime. (Yes, I could use an alias or some
such, but that's still extra thought-power that I'd rather place
elsewhere.)
> In sshd_config use the AllowUsers parameter to allow
> specific users to have access to ssh.
Yep. I agree.
I think that in the end, those who are security conscious, such as
presumably you and me, the specifics of how we do it become largely a
moot point or highly dependent on what it is that we're securing. My
personal preference is to follow the 80/20 rule. I don't have 100%
of my time to devote to doing the exact right thing. But I do have
20% of my time to devote to doing 80% of the exact right thing. If/
when that becomes a problem, I'll reevaluate my approach.
On that note, you may know better than I do: is there a web page or
blog somewhere that coalesces all the different things that should be
done/are currently best-practice to secure a system? Especially to a
*BSD noob?
Thanks,
Kevin
More information about the freebsd-questions
mailing list