On Mon, Feb 24, 2014 at 03:11:53PM +1100, Karl Auer wrote:
> Important:
> - use lots of bits in your keys
> - protect every ssh key with a passphrase[1]
> (unattended command access is the exception)
> - use long, strong passphrases
> - use long, strong passwords
> - turn off remote password logins - require publickey
> - don't allow root logins at all
>
> Fairly important:
> - don't allow direct logins from the Internet
> - use separate, limited accounts for command access
> (especially for keys without passphrases!)
> - log everything
>
> Less important
> - change ssh keys at random, moderately frequent intervals
> - change passphrases at random, moderately frequent intervals
> - limit the number of failed attempts
Add to that
- use authorized_keys options such as "from=" to limit key
range especially for passwordless command access keys
- watch out for insecure use of ssh-agent
I also use packet rules to limit sshd connection rates and
block client IPs which make repeated login attempts.
_______________________________________________
Link mailing list
Link@mailman.anu.edu.au
http://mailman.anu.edu.au/mailman/listinfo/link
