What is the server hardening strategy when I use SSH tunneling?

lindaz

7/12/24, 7:08 AM

I am using Proxmox with SSH tunneling. I have disabled all outside ports and connections, except for access via SSH tunneling.

In this way, what is my strategy for server hardening?

My setup:

disabled root login
use ssh keys instead password
do not change the default SSH port, because I do not accept connections apart from tunneling.
use fail2ban

What should I add?

1 + 0

proxmox

Score:0

Server

HBruijn

7/12/24, 10:18 AM

Too long for a comment:

Don't forget to keep your systems current and up to date and promptly install security updates and bug fixes.

use ssh keys instead password

To make this explicit: you should not only be using keys rather than passwords, but the ssh server must be configured to disallow password authentication completely. i.e. PasswordAuthentication no in the sshd_config configuration.

use fail2ban

I'd normally advise you to run fail2ban only on services that are publicly available.

But does your ssh server even have to publicly accessible? Can your authorised users (potentially) really connect from anywhere?

A firewall access list will significantly reduce the attack surface and will possibly even completely eliminate the brute-force attacks.
Even when your users don't have fixed IP-addresses you can still use the (large) IP-address ranges from the specific ISP's your users typically use for such a firewall policy. Even then you'll still see a large reduction in the amount of abuse.

+ 3

Nikita Kipriyanov

7/12/24, 10:24 AM

Having only `PasswordAuthentication no` is **not sufficient** to disable password authentication completely. One should also disable `KbdInteractiveAuthentication` and/or `UsePAM`, since together they can also can provide interactive authentication via PAM, and if e.g. pam_unix.so is configured, that'll be the same thing as "simple" password authentication.

HBruijn

7/12/24, 10:34 AM

That is one configuration setting I actually had to look up in the manual as I have never seen or adjusted that one: *"`KbdInteractiveAuthentication` Specifies whether to allow keyboard-interactive authentication. The argument to this keyword must be yes or no. The default is to use whatever value `ChallengeResponseAuthentication` is set to"* - A very cursory check shows that none of my systems even mention `KbdInteractiveAuthentication` in their (default) sshd_config and all of them had `ChallengeResponseAuthentication no` by default.

Nikita Kipriyanov

7/12/24, 6:02 PM

There are actually different ways to disable password authentication; disabling corresponding mechanisms is one of them, while you can also e.g. set authentication mechanism sequences in `AuthenticationMethods` so it will never include any unwanted mechanisms. Or you can set it so password authentication will require some second factor (TOTP etc.). My point was to note that just disabling that signle mechanism might be not enough to be protected.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is the server hardening strategy when I use SSH tunneling?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.