Best practices for securing SSH server

[TJ Varghese]

On Tue, Jun 23, 2009 at 9:43 AM, Benjamin Lee<ben at b1c1l1.com> wrote:
> On 06/22/2009 06:16 PM, Daniel Underwood wrote:
>> On a BSD box at work (at an extremely fast connection and static IP),
>> I run an SSH server.  I am the only person who uses the server, but I
>> use it from some locations that are behind a dynamic IP (so I can't
>> set pf rules to filter by IP).  I will always, however, use the same
>> laptop to connect to the server.  Due to the speed and location of the
>> connection, it's a relatively high-risk target.
>>
>> What are some good practices for securing this SSH server.  Is using a
>> stored key safer than a password in this instance? I have no
>> experience with port-knocking, but I'd appreciate some tips or
>> suggested beginning references... I welcome any and all advice.
>>
>> Note: I do require X11 forwarding (not sure whether that's relevant information)
>
> I have password authentication disabled on my public SSH server.  You
> can accomplish this by setting:
>
> ChallengeResponseAuthentication no
>
> in /etc/ssh/sshd_config.  See sshd_config(5) for more information.
>
> This allows you to enforce the use of stronger authentication methods
> (e.g. public key).  Keep in mind, however, that this setup will only be
> secure if you keep your alternate credentials (e.g. private key) secure
> as well.
>
> If for some reason you would prefer to use password authentication, I
> would recommend that you look into automatic brute force detection.
> There are a number of utilities in ports available for this purpose,
> including security/sshguard and security/denyhosts.


I'd recommend changing the listening port to something other than 22.
This reduces brute-forcing attempts by script-kiddie tools. Public key
authentication should be mandatory, in addition to having a passphrase
to your private key. Make sure your laptop is secure. Stay on top of
the security lists for openssh vulnerabilities.