Over a million developers have joined DZone.

If you Expose ssh Publicly…

DZone 's Guide to

If you Expose ssh Publicly…

· DevOps Zone ·
Free Resource

…run it on a high port

This seems like obvious advice but I see it so often ignored…. Yes, putting ssh on another port is obscurity – but it freaking works. It doesn’t prevent someone from cracking your password via ssh, you should have other mechanisms for that. It just prevents all the noise, all the mindless bots scanning port 22.


…disable root logins

This is default on most distributions but I still talk to people who think it’s ok to enable this. There’s just no reason. Use sudo & public keys.


…disable passwords

If you are really concerned about security, only allow public key access. This is how most of the bastion hosts I have experience with work and I haven’t seen many problems with it. Not to say it’s perfect, but it’s pretty good.


…audit access

I mean two things by this: Audit who has access by reviewing your logins & key files. I also mean you should audit who is actually accessing your bastion host and who is trying and failing.


…keep it updated

Every once in a while a critical patch comes along for ssh. Apply it when it does. Quickly. It’s that simple.

Source: http://www.opsbs.com/index.php/2011/12/if-you-expose-ssh-publicly/

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}