Should I harden my SSH if I only allow my IP in iptables?

ssh security

  1. Allow root logins

  2. Use same password for all the servers

  3. Use default ssh port 22

Changing each of the above is a strategy of risk mitigation. Changing all of those things doesn't make you safe. Leaving isn't dangerous by nature of itself. It does increase risk, but you might appreciate the convenience more than the risk.

For full TCP exchanges like are required with SSH, controlling the IP access range is reasonably effective against anybody who isn't a part of your network (same layer 2 branch or controlling upstream routing).

You do run the risk where one server compromise could expose the password for all, but you've limited where one can use the password from.

... but if the convenience is worth it, you feel ok, and these aren't subject to holding somebody else's important data, go for it. Just know why one would make those changes and what you're giving up for the convenience.


The answer is always yes. You never know what could happen.


If it were me, I'd:

  • lockdown ssh
  • set up private/public key logins for a normal user to automate the login
  • su - once I logged in

Because it just isn't worth the worry

(This has the added benefit of allowing access from anywhere you have putty and your ssh key)

Related

Share one IP address with a simple router
What to look for in a switch with LAN/WAN verses an iSCSI SAN?
How to imply the WRITE lock on all tables in MySql?
How to choose the most optimal RAID settings on PE2950
Updating GoDaddy DNS from linux [closed]
How to know the root device size of some public AMI?
Weird stuff in in my /var/log/auth.log
Tell the linux kernel to put a file in the disk cache?
Backup MySQL databases in 1 file but with separated .tar.gz for each db
Allow user to change permissions on a folder, but not remove/change Domain Admins access?
options for a natively supported, remote file transfer on Windows Server 2008 R2
Allow AD user to set passwords but no other attributes