[CentOS] Securing SSH

Carlos Daniel Ruvalcaba Valenzuela clsdaniel at gmail.com
Wed Mar 26 07:29:43 UTC 2008 

We have a public server and we did the following for SSH:

* Only Protocol v2
* Only key authentication, no password and large keys (just for the fun).
* Disable root login.
* Monitoring, we usually blacklists IPs trying to log in with many
unsuccessful attempts, using some custom scripts and iptables, but
there is many programs available for this now.

Additionally you could also add:

 * Throttling, you could throttle the amount of connections to the
port, there is already many tutorials on this on the internet.

I find setting a non standard port useless, all you need is to keep
your ssh server updated (including libraries) and follow common
security criteria and you should sleep soundly every night.

On Tue, Mar 25, 2008 at 5:33 PM, Robert Spangler
<mlists at zoominternet.net> wrote:
> On Tuesday 25 March 2008 12:55, Rudi Ahlers wrote:
>
>  >  Tim Alberts wrote:
>  >  > So I setup ssh on a server so I could do some work from home and I
>  >  > think the second I opened it every sorry monkey from around the world
>  >  > has been trying every account name imaginable to get into the system.
>  >  >
>  >  > What's a good way to deal with this?
>  >  >
>  >  > _______________________________________________
>  >  > CentOS mailing list
>  >  > CentOS at centos.org
>  >  > http://lists.centos.org/mailman/listinfo/centos
>  >
>  >  1. Change the default port
>
>  Is an option but a waste of time as a scanner will find the port it was moved
>  to.
>
>
>  >  2. use only SSH protocol 2
>
>  Agree
>
>
>  >  3. Install some brute force protection which can automatically ban an IP
>  >  on say 5 / 10 failed login attempts
>
>  Fail2ban comes to mind.
>
>
>  >  4. ONLY allow SSH access from your IP, if it's static. Or signup for a
>  >  DynDNS account, and then only allow SSH access from your DynDNS domain
>
>  I would suggest using keys for logins.  No password needed and if the
>  connecting machine doesn't have the key they don't get a chance to guess at
>  the password.
>
>  The idea of only allowing for strict ip address is good but what if you are on
>  the move?  Now you cannot log in either, but if you are using a key no matter
>  where you are you have access.
>
>
>  --
>
>  Regards
>  Robert
>
>  Smile... it increases your face value!
>  Linux User #296285
>  http://counter.li.org
>
>
> _______________________________________________
>  CentOS mailing list
>  CentOS at centos.org
>  http://lists.centos.org/mailman/listinfo/centos
>

More information about the CentOS mailing list