LinuxQuestions.org - Securing SSH

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Securing SSH (https://www.linuxquestions.org/questions/linux-server-73/securing-ssh-4175556611/)

What's the best way of securing SSH access when on a dynamic IP address?

I am aware of password, keypair or certificate. What's best depends on your situation. Personally I'd go for keys protected with passphrases and managed with ssh-agent or keychain, as setting up a CA is too much pain for me.
This should be the same whether you use dynamic or static addresses. Or am I missing something?

Edit: Of course there is the little problem of client and server knowing each other by IP address, so my answer doesn't address your problem. It seems though that you are not the first person with this question; googling will help.

Buy a static one if you have such an option.
$5.00 USD in the USA. YCMV

Quote:

Originally Posted by Habitual (Post 5437464)

Buy a static one if you have such an option.
$5.00 USD in the USA. YCMV

Not all ISPs provide statics. Mine does not, and it's a pain because their DHCP lease time is 10 minutes. You just need to look at the router funny and you get a new IP.

What I would do is put SSH on a non default port, that will stop all the bots from flooding your log files, then install fail2ban. That blocks IPs that fail to login too many times. I set it to 3. You could also try to find out what your ISP's IP ranges are and then only allow for those ranges, it will at least minimize the amount of attack sources. TBH I don't bother though I just have it wide open to any IP but use fail2ban. By having it on a non default port I've never even had fail2ban hit. I have it setup to alert me if it happens.

Quote:

Originally Posted by Red Squirrel (Post 5438177)

Thank you. That was my thinking too, I thought about limiting to my ISP's IP range (better than nothing) and with fail2ban running but wanted to see if there were better ways of securing it.

Do you get many log in attempts?

Thanks

Quote:

Originally Posted by moog7 (Post 5438737)

I agree with Red Squirrel, run it on something other than 22. I do that with my home server, and I don't think I've ever had a single unauthorized login attempt.

However, this should NOT be the only step you take in securing SSH. Many people (including myself) would call this "security by obscurity"- which should never be considered a real security feature. https://en.wikipedia.org/wiki/Security_by_obscurity I view it as simply a method of keeping my logs clean. :D

Look into using SSH keys and disabling root login.

I don't get any attempts with it on a different port at least none that try more than 3 times. I test it occasionally to make sure my alerting works (just did it now actually since I thought of it. :P )

http://gal.redsquirrel.me/thumbs/lrg-3160-1__4_.png

I also get an alert on my phone.

But yeah don't rely on a different port only as it wont stop a targeted attack, it will just stop you from getting a million alerts all the time.

One time I put a SSH server online on the default port and I had not gotten around to installing fail2ban yet, and it was hacked within 10 minutes. Brute force is not a matter of if but a matter of when. By the time I noticed why my internet was so slow I found that the machine got hacked, and the bot had already hacked 3 other online machines from mine. They basically spread like a worm. The bot was nice enough to leave a log behind. :P It was kinda neat to see it happen actually, it was a test VM so nothing was really compromised. Though it technically could have been used to hack my internal network, so definitely be careful if you decide to try anything like this and do it on a separate vlan. I did not know any better at that time.