Securing SSH

[Bevan C. Bennett]

Roland Venter wrote:
> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.

That's sort of what ssh already does. Most people just configure their 
servers' iptables to allow only ssh and whatever services the server 
actually provides and that's that.

> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.

Limiting the source of ssh connections helps protect against only two 
things, as I see it:
1) Attacker logging in directly with a stolen root password
2) An exploit in sshd itself

These generally aren't very high on the threat scale (although there was 
a potentially exploitable sshd bug discovered last year I don't know of 
anyone who actually got broken into).

Then again, how likely is having your IP address moved without enough 
warning to get your servers updated? If it's a serious concern you may 
want to seriously consider a different ISP.

> We also need to provide access to engineers working from home using dialup,
> etc

What are these servers going to be doing exactly? Do these engineers 
need to logon to the server directly with ssh, or do they just need to 
access the other services?

If you do limit connections to being from your management network, can 
users remotely log into a system on that network? If they can ssh there, 
then restricting the source for your servers adds even less security, 
and if they can access those systems with an insecure protocol (like 
telnet or rlogin), then you lose even more of the benefits of ssh.

> Some sort of client certificates to supplement username and password,

Mostly ssh allows certificates to be used in place of a password. These 
are generally more secure as they tend to be more difficult to steal.

> Any ideas and tips appreciated

Most of our suggestions will depend more on how you plan on using the 
servers. Two tricks I use are:
* adding
account    required     pam_access.so
to /etc/pam.d/sshd and
-:ALL EXCEPT wheel itgroup:ALL
to /etc/security/access.conf prevents any user who is not in the 'wheel' 
or 'itgroup' groups from logging on through ssh, even if they provide a 
valid password.

You can do something similar by putting
AllowGroups wheel itgroup
in /etc/ssh/sshd_config

Also, for a server that does not have local user accounts, you can place 
the public keys of your administrators into /root/.ssh/authorized_keys, 
which will allow them to log onto the server as root without knowing the 
root password.