I am running the following version of GNU/Linux Debian:
cat /etc/issue says:
Debian GNU/Linux 9
Using the following kernel:
uname -r says:
4.9.0-2-amd64
And running the following version of OpenSSH:
apt-cache policy openssh-server | grep Installed says:
Installed: 1:7.4p1-7
My intention is to harden a little one server's SSH security, since I need to have access from any IP, even from any VPN.
These steps I have done so far:
Disabling direct root access:
cat /etc/ssh/sshd_config | grep PermitRootLoginis set to:
PermitRootLogin noEnforcing SSH protocol version 2:
cat /etc/ssh/sshd_config | grep Protocolis set to:
Protocol 2Changed port to a random one, which I will not write here, so say 12345:
cat /etc/ssh/sshd_config | grep Portis set to:
Port 12345I have punched hole in firewall for it:
sudo iptables -A INPUT -p tcp -m tcp --dport 12345 -m comment --comment "ssh" -j ACCEPTI have generated a new key of 8 kilobits length (I am aware of the CPU overhead and other disadvantages of such a large key):
ssh-keygen -t rsa -b 8192I have then verified the size matches:
ll /home/fictional_user/.ssh/id_rsa*is as it should be, as well as the access rights:
-rw------- 1 fictional_user fictional_group 6.3K Mar 16 11:53 /home/fictional_user/.ssh/id_rsa -rw-r--r-- 1 fictional_user fictional_group 1.4K Mar 16 11:53 /home/fictional_user/.ssh/id_rsa.pubI have added this key and verified there is no other:
eval $(ssh-agent -s) ssh-add ssh-add -lresults in:
8192 SHA256:gibberish /home/fictional_user/.ssh/id_rsa (RSA) 8192 SHA256:gibberish fictional_user@fictional_computer (RSA)I have imported the key to two machines, which will be maintaining the server:
ssh-copy-id fictional_user@public_ip -p 12345Afterwards, I have disabled password authentication completely:
cat /etc/ssh/sshd_config | grep PasswordAuthenticationis set to:
PasswordAuthentication no
Question: Did I forget on anything or this is maximum I can do?
