K.S. Bhaskar on 26 Jul 2017 09:05:28 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices


Since it is pretty straightforward to set up ssh with 2FA with Google authenticator (https://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication) or Authy (https://github.com/authy/authy-ssh), why would one not use the additional security 2FA provides? It's not as if you're likely to be connecting and disconnecting every couple of minutes…

Regards
-- Bhaskar

On Wed, Jul 26, 2017 at 11:38 AM, Joe Rosato <rosatoj@gmail.com> wrote:
Small thought, but one that I use.. do you have a node on the internet somewhere? I do and I only allow that IP address via my router. (of course the internet box is locked down, but you need to do that when out in the wild anyway!). 

You can either ssh into your internet node and then hop over, or you can let ssh do it for you with something like this in your .ssh/config on the box you are using to gain access, say your laptop.

Host your_box_at_home
HostName {IP of box at home}
User {login_username at home}
ProxyCommand ssh -A login_username@your_internet_box -p 22 -W %h:%p

then

laptop$  ssh your_box_at_home


Joe

PS: Incidentally, my internet box does not have as much security as you are proposing! ;-)




On Wed, Jul 26, 2017 at 11:03 AM Keith C. Perry <kperry@daotechnologies.com> wrote:
Louis also keep in mind that your security mechanisms should multilayered.  Do no rely on one level or layer of security.  The idea is to build up a thick fence of protections that work together to protect you but also to help you "fight" attackers when they get through.

Yes, I said **when** because you should also bias your mind to assume that someone will through so you need think about your data protection protocols in parallel with any security protocols.

That said for me, generally, in addition to any SSH-fu there are iptables rules that automatically deal with ingress levels that are two high (I did a lightning talk on this last year) and for the most secure systems a VPN is still needed before you can SSH.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com

----- Original Message -----
From: "Rich Freeman" <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Wednesday, July 26, 2017 10:33:26 AM
Subject: Re: [PLUG] SSH Hardening : Request for Best Practices

On Wed, Jul 26, 2017 at 10:21 AM, Robert <mlists@zoominternet.net> wrote:
> On 07/26/2017 09:07 AM, Louis K wrote:
>> I'm in the process of hardening an ssh server on my home network I
>> plan on exposing so I can access it remotely. I've configured a number
>> of typical hardening approaches (non standard port, disable root
>> login, require keys, limit to single user).
>>
>> I'd love to hear people's general recommendations for best practices,
>> and have two specific questions:
>> *  I'm considering adding two factor auth in addition to the ssh keys.
>> Is this overkill? I think in that case the 2-factor-auth really only
>> protects me against someone getting my key (i.e., stealing my laptop
>> and sshing in), which I _think_ is unlikely.
>
> Add a passphrase to your keys then you don't have to worry about someone
> getting a hold of it and using it.
>

This only protects the key at rest.  If a process can spy on keyboard
input or your ssh client memory or your ssh agent memory then it would
be able to obtain your passphrase as well as your key.

It would protect against laptop theft (if it was powered off).

Again, it is up to you to decide how important this thread model is.
2FA still does provide protections over an ssh passphrase.  There is
always a compromise between usability/complexity and security.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
--
Joe

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug