[PLUG] SSH Hardening : Request for Best Practices

Louis K on 26 Jul 2017 06:08:23 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] SSH Hardening : Request for Best Practices

From: Louis K <louis.kratz@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: [PLUG] SSH Hardening : Request for Best Practices
Date: Wed, 26 Jul 2017 09:07:56 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=xPEv7Em3NPR9yQ1gap1lHL9OtCOX2fWBylSYmUdcL+s=; b=lSVZAu4vDSsbd2l1xzJb+f57N1Dl/8S5nsqlgaSGJhgubZjuUumo0zHHomxXyYJHao k0+6n4wSV+3smZ6LF+sG02+ECX0ybKRqiFezIUADzL7xyw36BYVqDPQqnTVk+APTSzxj ykEHHsMT5eRnf4ZjfIwzZ2iJil27kdNO1rf+MGGCHi5aW/izfXMFgE1qhzispeyN788u Rjt2BEL1911PI3qx1by5u/QlC6Hkv67YsAYCyApnf5NlFvP8isorzd35InWKhaufHzl9 s2o13H3toFT8M08D2u9r5LBhLgQ0O4D0SFGHGzjiZIbpqHhIzs3kVxBuqYuctjx4K6wT 6Prg==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

I'm in the process of hardening an ssh server on my home network I plan on exposing so I can access it remotely. I've configured a number of typical hardening approaches (non standard port, disable root login, require keys, limit to single user).

I'd love to hear people's general recommendations for best practices, and have two specific questions:
* I'm considering adding two factor auth in addition to the ssh keys. Is this overkill? I think in that case the 2-factor-auth really only protects me against someone getting my key (i.e., stealing my laptop and sshing in), which I _think_ is unlikely.

* I'm going to configure sshgaurd, but but haven't decided on which firewall to use yet. I'm not super passionate about firewalls so simplicity is key. What are your opinions on pf vs ipfw vs iptables?

Thanks in advance!

Lou

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Robert <mlists@zoominternet.net>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Kulawiec <rsk@gsp.org>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: brent timothy saner <brent.saner@gmail.com>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: "Lee H. Marzke" <lee@marzke.net>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Fred Stluka <fred@bristle.com>

Prev by Date: [PLUG] video link: LeRoy Cressy's talk "Creating a UEFI Bootable Flash Drive" presented 2017-07-05 @ PLUG Central
Next by Date: Re: [PLUG] SSH Hardening : Request for Best Practices
Previous by thread: [PLUG] video link: LeRoy Cressy's talk "Creating a UEFI Bootable Flash Drive" presented 2017-07-05 @ PLUG Central
Next by thread: Re: [PLUG] SSH Hardening : Request for Best Practices
Index(es):
- Date
- Thread