Keith C. Perry on 26 Jul 2017 08:03:25 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

Louis also keep in mind that your security mechanisms should multilayered.  Do no rely on one level or layer of security.  The idea is to build up a thick fence of protections that work together to protect you but also to help you "fight" attackers when they get through.

Yes, I said **when** because you should also bias your mind to assume that someone will through so you need think about your data protection protocols in parallel with any security protocols.

That said for me, generally, in addition to any SSH-fu there are iptables rules that automatically deal with ingress levels that are two high (I did a lightning talk on this last year) and for the most secure systems a VPN is still needed before you can SSH.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 
Keith C. Perry, MS E.E. 
Managing Member, DAO Technologies LLC 
(O) +1.215.525.4165 x2033 
(M) +1.215.432.5167

----- Original Message -----
From: "Rich Freeman" <>
To: "Philadelphia Linux User's Group Discussion List" <>
Sent: Wednesday, July 26, 2017 10:33:26 AM
Subject: Re: [PLUG] SSH Hardening : Request for Best Practices

On Wed, Jul 26, 2017 at 10:21 AM, Robert <> wrote:
> On 07/26/2017 09:07 AM, Louis K wrote:
>> I'm in the process of hardening an ssh server on my home network I
>> plan on exposing so I can access it remotely. I've configured a number
>> of typical hardening approaches (non standard port, disable root
>> login, require keys, limit to single user).
>> I'd love to hear people's general recommendations for best practices,
>> and have two specific questions:
>> *  I'm considering adding two factor auth in addition to the ssh keys.
>> Is this overkill? I think in that case the 2-factor-auth really only
>> protects me against someone getting my key (i.e., stealing my laptop
>> and sshing in), which I _think_ is unlikely.
> Add a passphrase to your keys then you don't have to worry about someone
> getting a hold of it and using it.

This only protects the key at rest.  If a process can spy on keyboard
input or your ssh client memory or your ssh agent memory then it would
be able to obtain your passphrase as well as your key.

It would protect against laptop theft (if it was powered off).

Again, it is up to you to decide how important this thread model is.
2FA still does provide protections over an ssh passphrase.  There is
always a compromise between usability/complexity and security.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --