On Mon, Feb 24, 2014 at 03:11:53PM +1100, Karl Auer wrote: > Important: > - use lots of bits in your keys > - protect every ssh key with a passphrase[1] > (unattended command access is the exception) > - use long, strong passphrases > - use long, strong passwords > - turn off remote password logins - require publickey > - don't allow root logins at all > > Fairly important: > - don't allow direct logins from the Internet > - use separate, limited accounts for command access > (especially for keys without passphrases!) > - log everything > > Less important > - change ssh keys at random, moderately frequent intervals > - change passphrases at random, moderately frequent intervals > - limit the number of failed attempts
Add to that - use authorized_keys options such as "from=" to limit key range especially for passwordless command access keys - watch out for insecure use of ssh-agent I also use packet rules to limit sshd connection rates and block client IPs which make repeated login attempts. _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link