DevOps Zone
Did you know? DZone has great portals for Python, Cloud, NoSQL, and HTML5!
DevOps Zone is brought to you in partnership with:

With my Operations & Security Leadership experience I hope to speak to individuals who want to engineer solutions, not just fight fires. It always depends, but there are patterns forming around what works and I want to learn about those and share them with those who need help. Aaron is a DZone MVB and is not an employee of DZone and has posted 16 posts at DZone. You can read more from them at their website. View Full User Profile

If you Expose ssh Publicly…

01.08.2012
Email
Views: 4006
  • submit to reddit
The DevOps Zone is presented by DZone with partners including ThoughtWorks Studios and UrbanCode to bring you the most interesting and relevant content on the DevOps movement.  See today's top DevOps content and be sure to check out ThoughtWorks Studio's Continuous Delivery Whitepapers and UrbanCode's Webinars.

Recommended Links

How Caplin Makes Agile Scalable with 2 Tools

Deployment Automation: The Basics

Free DevOps Tool: Go Community Edition

Continuous Delivery: The Book!

Adaptive ALM: Find High-Value Resources Here

Like this piece? Share it with your friends:

| More

…run it on a high port

This seems like obvious advice but I see it so often ignored…. Yes, putting ssh on another port is obscurity – but it freaking works. It doesn’t prevent someone from cracking your password via ssh, you should have other mechanisms for that. It just prevents all the noise, all the mindless bots scanning port 22.

 

…disable root logins

This is default on most distributions but I still talk to people who think it’s ok to enable this. There’s just no reason. Use sudo & public keys.

 

…disable passwords

If you are really concerned about security, only allow public key access. This is how most of the bastion hosts I have experience with work and I haven’t seen many problems with it. Not to say it’s perfect, but it’s pretty good.

 

…audit access

I mean two things by this: Audit who has access by reviewing your logins & key files. I also mean you should audit who is actually accessing your bastion host and who is trying and failing.

 

…keep it updated

Every once in a while a critical patch comes along for ssh. Apply it when it does. Quickly. It’s that simple.



Source: http://www.opsbs.com/index.php/2011/12/if-you-expose-ssh-publicly/
Published at DZone with permission of Aaron Nichols, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

ThoughtWorks Studios and UrbanCode, the sponsors of the DevOps Zone, are champions of the DevOps movement.  Their deployment tooling solutions focus on the entire software development lifecycle, involving all parts of an organization, which helps facilitate a migration to the DevOps philosophy.

Comments

Luca Botti replied on Mon, 2012/01/09 - 6:54am

What about using DenyHosts to deny access to ip's after a couple of password trials? simple and effective.

 

For the paranoid, port knocking is a must.

 

Regards

Sandeep Bhandari replied on Fri, 2012/01/13 - 8:31am

As you mentioned, its important to allow publi-private authentication keys. Some Java SSH Libraries

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Controlling complexity is the essence of computer programming.
— Brian Kernigan