On 11/29/2018 08:34 AM, berndgsflinux wrote:[color=blue]
for a scientific project we need to open the ssh port to the internet
for some collaborators. Their ip’s are not always the same, so we can’t
restrict the access depending from the source ip.
My idea to secure it is to always install the latest updates, forbid
root login and run ssh on a non-standard port.
Do you have further ideas ? chroot ?[/color]
That is what I would do. if your users are able to do
slightly-more-complex things (not really hard at all, just not as
intuitive as passwords) you can deny password-based authentication
entirely and have them authenticate with keys. It’s actually much nicer,
as they’ll never be prompted to type in a password again, and it’s much
more secure than their passwords.
Other options in the realm closer to “security by obscurity” is you could
implement port knocking so, by default, the SSH port is not available at
all, but once somebody “knocks” their one IP will be open.
Also, you could/should implement fail2ban so if somebody at a particular
IP tries brute forcing their way past a password prompt, they are
fairly-quickly shutdown. Note that this can implement legitimate users
with bad typing techniques, thus another reason to use keys for
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.