DevOps Zone is brought to you in partnership with:

With my Operations & Security Leadership experience I hope to speak to individuals who want to engineer solutions, not just fight fires. It always depends, but there are patterns forming around what works and I want to learn about those and share them with those who need help. Aaron is a DZone MVB and is not an employee of DZone and has posted 24 posts at DZone. You can read more from them at their website. View Full User Profile

If you Expose ssh Publicly…

01.08.2012
| 5714 views |
  • submit to reddit

…run it on a high port

This seems like obvious advice but I see it so often ignored…. Yes, putting ssh on another port is obscurity – but it freaking works. It doesn’t prevent someone from cracking your password via ssh, you should have other mechanisms for that. It just prevents all the noise, all the mindless bots scanning port 22.

 

…disable root logins

This is default on most distributions but I still talk to people who think it’s ok to enable this. There’s just no reason. Use sudo & public keys.

 

…disable passwords

If you are really concerned about security, only allow public key access. This is how most of the bastion hosts I have experience with work and I haven’t seen many problems with it. Not to say it’s perfect, but it’s pretty good.

 

…audit access

I mean two things by this: Audit who has access by reviewing your logins & key files. I also mean you should audit who is actually accessing your bastion host and who is trying and failing.

 

…keep it updated

Every once in a while a critical patch comes along for ssh. Apply it when it does. Quickly. It’s that simple.



Source: http://www.opsbs.com/index.php/2011/12/if-you-expose-ssh-publicly/
Published at DZone with permission of Aaron Nichols, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Luca Botti replied on Mon, 2012/01/09 - 6:54am

What about using DenyHosts to deny access to ip's after a couple of password trials? simple and effective.

 

For the paranoid, port knocking is a must.

 

Regards

Sandeep Bhandari replied on Fri, 2012/01/13 - 8:31am

As you mentioned, its important to allow publi-private authentication keys. Some Java SSH Libraries

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.