And as the above article mentions, the PasswordAuthentication option in sshd_config can be cleared to force the use of ssh keys (password authentication will be disabled).
AllowUsers is another good sshd_config option. It can be used to provide a list of users who can connect via ssh. Any user not in this list can't connect by ssh. It's good for defeating ssh scans which try a few passwords against common account names (like root, guest, etc.). Another trick that might help dodge ssh scans is to run ssh on a port other than 22. The ListenAddress sshd_config option can be used to run ssh on some other (non-standard) port.
A nice trick for your ~/.ssh/authorized_keys file is to specify source hosts from which you can connect using certain keys. If you have the following in your authorized_keys file, then the key in question can only be used for connections from the hosts listed in the
from list:from="this_host,that_host" ssh-dss ...key data... USER@HOST(This is discussed in the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page.)
Finally, the denyhosts project claims to be able to do dynamic edit to the tcpwrappers files (/etc/hosts.deny) when dictionary attacks are detected. It would probably be really useful for a server with lots of ssh users that need to log in from anywhere/everywhere.
No comments:
Post a Comment