What measures can/should I take to make sure that security around my SSH server is absolutely impermeable?
This will be community wiki from the start, so lets see what people do to secure their servers.
Securityssh
What measures can/should I take to make sure that security around my SSH server is absolutely impermeable?
This will be community wiki from the start, so lets see what people do to secure their servers.
Best Answer
Use public/private key pairs for authentication instead of passwords.
Generate a passphrase-protected SSH key for every computer that needs to access the server:
ssh-keygen
Permit public-key SSH access from the allowed computers:
Copy the contents of
~/.ssh/id_rsa.pub
from each computer into individual lines of~/.ssh/authorized_keys
on the server, or runssh-copy-id [server IP address]
on every computer to which you are granting access (you'll have to enter the server password at the prompt).Disable password SSH access:
Open
/etc/ssh/sshd_config
, find the line that says#PasswordAuthentication yes
, and change it toPasswordAuthentication no
. Restart the SSH server daemon to apply the change (sudo service ssh restart
).Now, the only possible way to SSH into the server is to use a key that matches a line in
~/.ssh/authorized_keys
. Using this method, I don't care about brute force attacks because even if they guess my password, it will be rejected. Brute-forcing a public/private key pair is impossible with today's technology.