# [ANSWERED] SSH Security

## Gentoo-Ed

I want to use SSH on my home network. I'll probably only use it internally, not from somewhere else, but do want to configure it to be secure for the outside, just incase I do want to connect.

I read about security here:

http://www.gentoo.org/doc/en/articles/openssh-key-management-p1.xml

Is DSA the way to go? If I understand correctly that means generating a key on the server and copying it to the client(s).Last edited by Gentoo-Ed on Mon Mar 09, 2009 6:28 am; edited 1 time in total

----------

## Malvineous

To be honest, if you only want to avoid script kiddies then any sort of key-based authentication will be fine.  The only attacks I ever see against my SSH server are password based, using a whole list of usernames I don't even have enabled.  (Plus using iptables and connection throttling really slows them down.)  So if you're only using keys, then it doesn't matter what passwords they try.

Of course that means you have to have access to a remote SSH client and import your keys (so fiddly at best from an Internet cafe), keys are only really useful if you have proper access to the remote machine.

----------

## slackline

If you're all you want is SSH at home and not from outside, simply use DSA/RSA keys and keychain.  That way you enter your DSA/RSA password once when logging in and can then ssh to other machines without passwords.  Then to stop anyone from getting in and trashing your system block port 22 on your routers firewall, and make sure root login under /etc/ssh/sshd_config is disabled.

That will be more than enough I'd imagine as long as your not ultra-paranoid.  When you want to access from away from home then just port-forward to your main server, and then once logged in ssh to the other computers on your home network.

----------

## dreadlorde

You could also install [url= http://fail2ban.sourceforge.net/]fail2ban[/url].

----------

## Inodoro_Pereyra

I had success blocking most of the script kiddies scanning my net and all those dictionary attacks by simply configuring my ssh server to listen in a different port than the usual 22.

After that as suggested above, key autentication, fail2ban, and for the extreme paranoid there is also port knocking.

Cheers!

----------

## Gentoo-Ed

Okay, this is quite some information to go with  :Smile: 

I'll configure ssh to listen to a different port. Thats always a good start. Then I'll lookin the keys and fail2ban or keychain.

----------

