More Secure SSH Connections

Discussion in 'all things UNIX' started by lotuseclat79, Apr 1, 2014.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
  2. _Sim_

    _Sim_ Registered Member

    Joined:
    Mar 2, 2014
    Posts:
    15
    Thanks for the link.

    Personally I don't like the idea of getting a bit more security by obscurity. It complicates things for users and don't discourage an attacker to overcome the security environment. Beside this aspect I miss fail2ban in this article. fail2ban prevents an instrusion by blocking IP addresses belong to hosts that, for example, are trying too many login attempts.
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Disallow password login from WAN (i.e. only allow authorized public keys). Brute-forcing a private key from a public key is much more difficult than brute-forcing a password, even a long password.

    Also, encrypt your private key with a nice, long, high-entropy password. The longer and less guessable the password, the better.

    ... But there is probably more that could be done. e.g. privkeys are typically encrypted with AES, and it might be better to use a slower, stronger algorithm like Twofish. If anyone knows how to use more powerful symmetric ciphers for the private key with OpenSSH, I am all ears.
     
  4. root_my_face

    root_my_face Registered Member

    Joined:
    Feb 11, 2014
    Posts:
    10
    Agree with the above; fail2ban, disabling root (from ssh), and key only login is the way to go.

    Password logins without fail2ban will get brute forced sooner or later.
     
  5. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Shame no mention is using 2 factor auth for SSH.
     
Loading...
Thread Status:
Not open for further replies.