On 3/19/2014 2:50 PM, Ned Slider wrote: > > Just to add, I'm sure everyone has already read and implemented many of > the suggestions here: > > http://wiki.centos.org/HowTos/Network/SecuringSSH > > Numbers 2 and 7 have already been highlighted in this thread. > #1 These days I would say that 8 chars minimum length is too few, even if they are completely random (and most won't be). If you're not willing to type gibberish, then a more reasonable minimum length is 12-14. Especially for your root password (or other administration accounts). If you have your users creating 15+ character passwords, don't make them change it every 30/60/90 days. Password aging hurts more then it helps as passwords grow longer. Users are more likely to adopt poor behavior like simply adding or incrementing numbers from month to month. Longer durations, like 3-5 years, give the users time to memorize the password rather then just keeping it on a sticky on the desk. #2 (disable root login) is a must for any public facing box, and a strong recommendation for all other boxes. It's the top target of attack, so why allow it to be attacked at all? #5 (non-standard port) is very useful. Not for protecting yourself against attack, but from not having your log files fill up with all of the automated attack scripts. Which makes it easier to spot the more serious attackers who have taken the time and effort to find your SSH port. #7 (public-key pairs) is also a must for any public-facing box. It defeats all attempts to brute-force account passwords remotely. Now you just have to worry that someone will steal your private key files. But if someone has gotten far enough inside to steal your private key file then you have bigger security problems to worry about.