0

CentOS 6 | OpenSSH

I have an external facing server and would like the convenience of being able to access it via my phone. The system itself is an island and has no association/connection to my internal network at all.

I presently have SSHD configured to listen on a different port and only allow connectivity if:

  1. SSH traffic is coming from specific remote IPs
  2. SSH clients are using authorized 2048-bit RSA keys.

I'd like to take off the source IP requirement to make access more convenient from mobile devices but my concern is that I'd be opening myself up for a world of hurt later.

Would it help to leverage something like fail2ban to block repeat offenders?

My question is:

IF I keep my SSH server up-to-date, and IF I keep my private key secret/secure, how much confidence can I have that a system requiring SSH authorized keys won't be easily compromised?

Mike B
  • 11,871
  • 42
  • 107
  • 168
  • This question is broad. An unsecured client can leak the RSA key easily. An server running an obsolete version of a sshd server with known exploitable vulnerabilities is even less safe. – BatchyX Jan 21 '13 at 19:04

2 Answers2

1

Disable password authentication in sshd (it is enabled by default) someone can still force with no key option even if you already enabled PKI authentication. By doing so, the server will close the connection automatically if the fingerprint don't match on the first attempt.It will permit only those who holds the keys to the kingdom.
Keep the key secret.

cyberhicham
  • 202
  • 2
  • 13
modnet
  • 11
  • 1
0

yes, ssh key authorization & fail2ban for two requests (or one?!) is pretty much nice defence.

Althou you must consider an aditional firewall (block icmp requests, port sniffing etc.)

Str82DHeaD
  • 582
  • 4
  • 7
  • 1
    I'm using the netfilter recent module to handle port 22 hack attempts, myself. – lsd Jan 21 '13 at 19:04