Given the recent attack on SSH port I'm trying my best to keep my servers at bay. Of course changing the default port would be the number 1 rule to go but that is not feasible.
We've got denyhosts will set up some iptables rules, maybe fail2ban. Appart from than and considering that the least possible ways you have to get in the saffer you are, my SSHD has set up:
ssh -v example.com
debug1: Authentications that can continue: publickey,password,keyboard-interactive
I started wondering, what sould I keep? keyboard-interactive (KI) or password?
Public key is needed. Both KI and password seam to do the same thing but KI, according to the docs, would do it better. Can anyone shed some lights here, please?
Thank you in advance.
If everyone who needs ssh access to your server can use a public key, then yes, you can safely and arguably should disable password/keyboard-interactive logins.
If it is not a public/multiuser system, severely limit access via the firewall. Default to DROP and only allow specific IPs or subnets access to the system. If you must stay public, fail2ban is the right idea.
msanford is spot on when it comes to the authentication recommendation. For the best security, you want the least access possible for meeting the requirements. If the access is not justified it should not be allowed.