Joe Rosato on 26 Jul 2017 12:06:59 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices


I used to have the 2FA on my internet box. Seemed like a cool idea for better security but I got tired of entering the number every time. If I remember correctly (this is like when 2FA first came out) - I was at a loss about how to enable it for some things and disable it for others. A cron rsync of data still needed the code so I could not automate that.. so dropped it. I think I used it for like 2-3 months.

All in all I dont think it bought me better protection since my internet box is an unknown. Maybe if I was a bank node the extra security would help. 

All considered we are a bit batty now about security. Simple scripts like the above is all you need. No one wants to admit out loud that break-ins like Target is more an issue of simple audits. Less mission impossible, more Mr Bean.

Also - the internet never solved the issue of digital identity which is being aggressively worked on now with all the supposed promises of the new blockchain tech. Having your identity information on 50 websites is madness when they can just have a link/hash to what they need. Too many access points to your info.

Joe

On Wed, Jul 26, 2017 at 1:25 PM brent timothy saner <brent.saner@gmail.com> wrote:
On 07/26/2017 09:07 AM, Louis K wrote:
> I'm in the process of hardening an ssh server on my home network I plan
> on exposing so I can access it remotely. I've configured a number of
> typical hardening approaches (non standard port, disable root login,
> require keys, limit to single user).
>
> I'd love to hear people's general recommendations for best practices,
> and have two specific questions:
> *  I'm considering adding two factor auth in addition to the ssh keys.
> Is this overkill? I think in that case the 2-factor-auth really only
> protects me against someone getting my key (i.e., stealing my laptop and
> sshing in), which I _think_ is unlikely.
> * I'm going to configure sshgaurd, but but haven't decided on which
> firewall to use yet. I'm not super passionate about firewalls so
> simplicity is key. What are your opinions on pf vs ipfw vs iptables?
>
> Thanks in advance!
>
> Lou
>

conveniently, i mirror an article for just this purpose.

https://sysadministrivia.com/news/hardening-ssh-security

and you can find it in a python script (without the Tor stuff) here:
https://aif.square-r00t.net/cfgs/scripts/post/sshsecure.py

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
--
Joe
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug