Luis M wrote:
I have one final twist on the concept, pertaining to #7. I was going to completely lock down a network I administer (no root SSH, only DSA key based SSH2, etc...) but can't quite make that leap, due to the remote possibility of needing to ssh in as root from somewhere, possibly when I don't have a DSA key handy. My solution was to default deny SSH access to the network, selectively enabling "friendly" IP ranges (exactly the concept Luis had, based on the idea that I'll be able to find a real person to contact).(snip) 6. use the AllowUsers option in sshd_config and put a comma separated list of users that are allowed to login remotely. All other users will simply be denied access. 7. Use tcp_wrappers to allow only a handful of IPs to login remotely to your box. If you don't have a static IP that you use yourself to login to your computer remotely, you might want to allow IPs coming from ISPs in your own country/region. That way you limit attacks to a very limitted subset of IPs that can be tracked (and possibly sued) :-) Use whois to determine the IP blocks for major ISPs.
The key addition I have is I also allow SSH access from any IP address to one specific box that's hardened more than normal, and watched more closely than the others. That way, in an emergency, I'd be able to ssh in there, and bounce to another box (or update my access list on the router).
A more advanced concept would automatically close that hole to anyone trying to hit port 22 on one of the protected servers, but that's overkill for my needs. Also, in my case, I'm dropping the packets right at the edge router. That's easier for me to maintain, especially since I had a set of rules for blocking various bad things already. Another good idea would be to supplement my router-based solution with iptables on every box, but I figure I'll start with the low hanging fruit.
--Rich