Best practices for securing SSH server
levymoti at gmail.com
Tue Jun 23 02:21:49 UTC 2009
On Mon, Jun 22, 2009 at 9:43 PM, Benjamin Lee <ben at b1c1l1.com> wrote:
> On 06/22/2009 06:16 PM, Daniel Underwood wrote:
> > On a BSD box at work (at an extremely fast connection and static IP),
> > I run an SSH server. I am the only person who uses the server, but I
> > use it from some locations that are behind a dynamic IP (so I can't
> > set pf rules to filter by IP). I will always, however, use the same
> > laptop to connect to the server. Due to the speed and location of the
> > connection, it's a relatively high-risk target.
> > What are some good practices for securing this SSH server. Is using a
> > stored key safer than a password in this instance? I have no
> > experience with port-knocking, but I'd appreciate some tips or
> > suggested beginning references... I welcome any and all advice.
> > Note: I do require X11 forwarding (not sure whether that's relevant
> I have password authentication disabled on my public SSH server. You
> can accomplish this by setting:
> ChallengeResponseAuthentication no
> in /etc/ssh/sshd_config. See sshd_config(5) for more information.
> This allows you to enforce the use of stronger authentication methods
> (e.g. public key). Keep in mind, however, that this setup will only be
> secure if you keep your alternate credentials (e.g. private key) secure
> as well.
> If for some reason you would prefer to use password authentication, I
> would recommend that you look into automatic brute force detection.
> There are a number of utilities in ports available for this purpose,
> including security/sshguard and security/denyhosts.
> Benjamin Lee
> prevent brute force scans :
option a ( my favorite ) - change ssh port number
option b ( works just as well, but with more junk in your logs ) - install
brute force blocker ( its in the ports .. )
create explicit login group :
add AllowGroups groupname to your sshd config
add the group to your groups file and make sure you / anyone with access is
member of that group.
force ssh version 2 only - just for kicks :)
More information about the freebsd-questions