LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-03-2014, 04:15 PM   #1
jonnybinthemix
Member
 
Registered: May 2014
Location: Bristol, United Kingdom
Distribution: RHEL 5 & 6
Posts: 132

Rep: Reputation: Disabled
Securing SSH


Hey Guys,

Another quick question...

As some may know I'm re-sitting my RHCE Exam on Friday and I'm going through some studying to make sure I've got it all nailed.

My query is regarding the securing of SSH Connections. I know there are many ways to secure connections from SSH, so I'll list the few I know... but my question is, what is known as the best? I know that Redhat does not really mind how you do something as long as the outcome is what they require, so again this question is by no means exam related.. it's actually more for me. If I were to do this with my servers what would be best..

I know that we can;
  1. Create custom IPTABLE rules allowing SSH only from a certain source
  2. Edit the ssshd_config file and add a network to 'AllUsers'
  3. Set hosts.deny to ALL:ALL and then add ssh: x.x.x.x to hosts.allow
  4. Add ALL:ALL to hosts.allow and then restrict a certain network by adding sshd : x.x.x.x to deny a certain address

So there are a few ways of achieving the same or similar task.. but which is the industry standard *best practice* way of doing it?

Thanks
Jon
 
Old 06-03-2014, 08:05 PM   #2
soldersplash
LQ Newbie
 
Registered: May 2009
Location: England, UK
Distribution: Ubuntu 16.04
Posts: 21

Rep: Reputation: 0
Also you might consider (if you haven't already, that is) having a good password or better still use RSA key authentication. https://help.github.com/articles/generating-ssh-keys

Running ssh on non-standard port. (Although in my opinion thats security through obscurity == not real security)

And then there are useful monitor stuff like fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page

HTH & YMMV,
Soldersplash.
 
Old 06-04-2014, 06:49 AM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
It really depends on the situation, not to mention you'd normally use more than one technique at the same time.
I'd definitely add setting 'PermitRootLogin no' in /etc/ssh/sshd_config
 
Old 06-04-2014, 07:00 AM   #4
jonnybinthemix
Member
 
Registered: May 2014
Location: Bristol, United Kingdom
Distribution: RHEL 5 & 6
Posts: 132

Original Poster
Rep: Reputation: Disabled
Hey guys,

Thanks for your responses.

If the requirement were simple to allow SSH to all bar the network 192.168.1.0/24..

Would a sufficient solution be;

iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

I guess the point I'm making is that the above firewall rule would achieve the task in hand.. but is there a 'nicer' way of achieving that same goal?

Jon
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] securing ssh logins dinakumar12 Linux - Server 2 09-15-2010 02:40 AM
Securing SSH via Webmin scottt20 Linux - Server 3 01-28-2010 03:22 PM
Securing SSH ZilverZtream Linux - Security 5 12-10-2004 04:33 PM
securing ssh robberttheman Linux - Security 8 08-27-2004 08:36 AM
Securing SSH tarballedtux Linux - Security 3 11-16-2002 05:45 AM


All times are GMT -5. The time now is 12:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration