SSH security.
A subject that's been done to death, I know but I'm after opinions as to whether I'm working along the right lines...
I'd like to forward (NAT router) port 22 from the internet to my PCLOS (Firewall configured.) box which has sshd running and fail2ban installed, default config. My users' passwords probably aren't the most robust ever... root is reasonably secure, I think. My main Mepis (Firewall disabled.) box also has sshd running but as yet no fail2ban. So, basically all that would be between my whole network and anyone snooping for open port 22 is fail2ban on my PCLOS box. I appreciate that there is a lot more hardening that I could do but for practical purposes is that enough? |
Quote:
|
There's some misc security techniques that are pretty useful on www.RussThompson.me
Also shows how to disable direct root login as well |
|
Thanks all! Root login on my Mepis box was set to without-password which I guess is reasonably secure. I've changed it to no. Will check my PCLOS box tomorrow.
|
For an external connection, it is more secure to have ssh listen on some port other than 22 as well. That way you need to know the port to connect to, and a user that will work. I only allow one, otherwise useless, user to connect from an external IP, and that user has to su to root to do anything useful.
|
Yea, maybe -- but then you have to specify what port you want all the time, which is like having an ip address to remember. not worth the hassle imho
|
Quote:
|
and you can set it in ~/.ssh/config
|
Just checked my PCLinuxOS machine and PermitRootLogin no is default. So, for anyone else's info both Mepis & PCLOS don't permit ssh root login with password. In my case, my machines now do not alow it at all.
The changing port thing would fix the ssh scanners good and proper. I might see if I can set my router up to forward port <random> to port 22 so I retain the standard port on my LAN. |
Quote:
Quote:
The former is pretty good, but if you don't need a root ssh login for automated cron jobs, then don't have root logins. You can log in under your own account and use sudo or su to root. You can also forward one port on the router to PCLOS port 22 and another to MEPIS port 22. |
Quote:
I wouldn't say moving the default listening port is secure...it isn't. A simple scan should show what's open, no matter where you move it. The only good thing about actually moving it is that it'll cut down on the log size, as script kiddies and such just tend to scan against the default port. |
Quote:
Will have a play about with varying port numbers to see what happens with regard to the number of probes. |
When moving to a non-default port, I think it's a good idea to run something like psad to, among other things, lessen the ease by which your port can be spotted. Nothing is a replacement for making sure the actual SSH daemon is as tight as possible, but as long as you don't develop a false sense of security, using a non-default port can have nice benefits (for example, the noise reduction mentioned by jschiwal, which can encourage the administrator to take alerts more seriously).
|
Quote:
|
All times are GMT -5. The time now is 09:23 PM. |