Louis K on 26 Jul 2017 06:08:23 -0700
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] SSH Hardening : Request for Best Practices
- From: Louis K <email@example.com>
- To: "Philadelphia Linux User's Group Discussion List" <firstname.lastname@example.org>
- Subject: [PLUG] SSH Hardening : Request for Best Practices
- Date: Wed, 26 Jul 2017 09:07:56 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=xPEv7Em3NPR9yQ1gap1lHL9OtCOX2fWBylSYmUdcL+s=; b=lSVZAu4vDSsbd2l1xzJb+f57N1Dl/8S5nsqlgaSGJhgubZjuUumo0zHHomxXyYJHao k0+6n4wSV+3smZ6LF+sG02+ECX0ybKRqiFezIUADzL7xyw36BYVqDPQqnTVk+APTSzxj ykEHHsMT5eRnf4ZjfIwzZ2iJil27kdNO1rf+MGGCHi5aW/izfXMFgE1qhzispeyN788u Rjt2BEL1911PI3qx1by5u/QlC6Hkv67YsAYCyApnf5NlFvP8isorzd35InWKhaufHzl9 s2o13H3toFT8M08D2u9r5LBhLgQ0O4D0SFGHGzjiZIbpqHhIzs3kVxBuqYuctjx4K6wT 6Prg==
- Reply-to: Philadelphia Linux User's Group Discussion List <email@example.com>
- Sender: "plug" <firstname.lastname@example.org>
I'm in the process of hardening an ssh server on my home network I plan on exposing so I can access it remotely. I've configured a number of typical hardening approaches (non standard port, disable root login, require keys, limit to single user).
I'd love to hear people's general recommendations for best practices, and have two specific questions:
* I'm considering adding two factor auth in addition to the ssh keys. Is this overkill? I think in that case the 2-factor-auth really only protects me against someone getting my key (i.e., stealing my laptop and sshing in), which I _think_ is unlikely.
* I'm going to configure sshgaurd, but but haven't decided on which firewall to use yet. I'm not super passionate about firewalls so simplicity is key. What are your opinions on pf vs ipfw vs iptables?
Thanks in advance!
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug