PDA

View Full Version : SLES 12 SP3 How to secure ssh accessible from the internet



berndgsflinux
29-Nov-2018, 16:32
Hi,

for a scientific project we need to open the ssh port to the internet for some collaborators. Their ip's are not always the same, so we can't restrict the access depending from the source ip.
My idea to secure it is to always install the latest updates, forbid root login and run ssh on a non-standard port.
Do you have further ideas ? chroot ?

Thanks.

Bernd

ab
29-Nov-2018, 22:00
On 11/29/2018 08:34 AM, berndgsflinux wrote:
>
> for a scientific project we need to open the ssh port to the internet
> for some collaborators. Their ip's are not always the same, so we can't
> restrict the access depending from the source ip.
> My idea to secure it is to always install the latest updates, forbid
> root login and run ssh on a non-standard port.
> Do you have further ideas ? chroot ?

That is what I would do. if your users are able to do
slightly-more-complex things (not really hard at all, just not as
intuitive as passwords) you can deny password-based authentication
entirely and have them authenticate with keys. It's actually much nicer,
as they'll never be prompted to type in a password again, and it's much
more secure than their passwords.

Other options in the realm closer to "security by obscurity" is you could
implement port knocking so, by default, the SSH port is not available at
all, but once somebody "knocks" their one IP will be open.

Also, you could/should implement fail2ban so if somebody at a particular
IP tries brute forcing their way past a password prompt, they are
fairly-quickly shutdown. Note that this can implement legitimate users
with bad typing techniques, thus another reason to use keys for
authentication.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

KBOYLE
29-Nov-2018, 23:00
berndgsflinux wrote:

> My idea to secure it is to always install the latest updates, forbid
> root login and run ssh on a non-standard port.

As ab suggested, your best option is key authentication.
https://www.suse.com/documentation/sles-12/book_security/data/sec_ssh_authentic.html

If you disable all logins, then using keys is the only way to
authenticate. That should provide all the security you need however
that doesn't stop the many attempted logins that are inevitable on port
22.

Use your firewall to:
- Block port 22
- Choose an obscure high port and port forward to port 22.

This way you won't even need to change your default ssh port and it is
unlikely you will find many, if any, attempted logins.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

jmozdzen
03-Dec-2018, 22:43
Hi Bernd,

on top of the valuable responses so far, I'd recommend to set this up as an additional sshd, with its own configuration, that will only permit those well-known users by name (see "AllowUsers" option for sshd_config). Restrict the "standard" sshd to internal interfaces (option "ListenInterface") and the extra sshd to the Internet interface.

Or to make things more secure - could you set up a "jump host", completely separate from your application host and reachable via ssh from the Internet, that will only allow an outgoing ssh connection after a second-factor authentication?

How hard do you need to make things, how valuable is your content?

Regards,
J

AndreasMeyer
14-Dec-2018, 22:36
Restrict network access to the ssh server with a VPN tunnel solution (StrongSwan or OpenVPN). For secure SSH see:
https://infosec.mozilla.org/guidelines/openssh