Home / server / Questions / 529681
Accepted
NinjaCat
Asked: 2013-08-09 11:30:47 +0800 CST

Securing SSH for cross site access

  • 772

We have 2 servers, one each located at different geographical locations where we are considering using an rsync script to keep certain folders in sync. Our setup disables root login and password logins and relies on keyfiles.

We run SSH on port 22X (just to minimize the login attempts, not as a way of security through obscurity).

If we setup port forwarding so that port XYZ forwards to 22X, and have disabled password logins, what other measures should we take to prevent any malicious activity occurring because of the open port?

My thinking is that as long as we keep our keys secure, then there should not be an issue. have I missed something?

ssh

1 Answers

  1. Best Answer

    Regarding exclusively the security on the sshd service, these are some extra measures you could implement, in no particular order:

    1. If this sshd daemon is expected to be used only between this two peers, an iptables rule restricting access to port 22X based on source IP address.
    2. A tcpwappers ACL.
    3. fail2ban can add rules dynamically to both iptables and /etc/hosts.allow to mitigate brute-force attacks.
    4. Configure port-knocking. fwknop is available in some distributions.
    5. Depending on the version and the distribution of openssh you use, you can setup two-factor authentication, using kerberos for example.
    6. Do you already use a mandatory access control KSM (SELinux, apparmor, ...)?
    7. Renew your keys regularly.
    8. Take a look at the monkeysphere project. They provide a nifty way to add GPG validation to authorized keys.
    • 1