0

This question is about ssh

Hi i web server for my site, I use ssh :). I know i can port forward port 22 but is it safe enough? Let's say i use a password that takes a million years to crack or something. Will it be safe then or will someone be able to login with some trick?

Thanks

harry
  • 3

2 Answers2

1

Use keys and disable password authentication. It will get rid of most of the authentication attempts and you are safe enough. SSH protocol itself is secure.

Jakuje
  • 6,605
  • 7
  • 30
  • 37
  • Huh so i have to disable it but i need the password right? – harry Jan 30 '16 at 14:04
  • If you use keys, you don't need passwords. – Jakuje Jan 30 '16 at 14:05
  • So that is way safer than a super complicated password? – harry Jan 30 '16 at 14:06
  • Yes. Until the key is safe and/or protected by passhprase. You should be safe even with complicated password, but keys are preferred. – Jakuje Jan 30 '16 at 14:18
  • Thanks so much!, i have one more question sorry :( But what if i make a passcode as long as a key is that just as safe as a key? – harry Jan 30 '16 at 14:27
  • It would be roughly 256 characters if you compare to 2048 b long keys. I don't think you want that :) And with keys you will get rid of most of the brute-force attacks as I mentioned before. – Jakuje Jan 30 '16 at 14:29
  • Oh yeah i do not want to type that but what if i save it behind a password just like a key? Because i want to be able to login from all different places around the world :) – harry Jan 30 '16 at 14:30
  • As always. Until it will get compromised. You can also carry the key with you. There are HSMs (Hardware security module), Yubikey. Many possibilities. – Jakuje Jan 30 '16 at 14:33
  • Thanks so much that you are still answering my probably stupid questions but what do you mean with compromised you mean like being stolen or brute forced? Thanks so much! i am new to all of this :) – harry Jan 30 '16 at 14:37
  • stolen, copied (key from HSM can't be copied so when it will get stolen, you will know). Such long password/key basically can't be brute-forced. – Jakuje Jan 30 '16 at 14:38
  • Thanks so much! i guess i am going for a password i am a simple guy and i assure you it will not get stolen or copied :) – harry Jan 30 '16 at 14:40
  • How do i mark this threat as solved by you? – harry Jan 30 '16 at 14:41
  • There should be a tick on the left side of this post [./] – Jakuje Jan 30 '16 at 14:41
  • 1
    You can also enable 2 factor authentication to further harden it. –  Jan 30 '16 at 16:13
  • @TheBrownOne Setting 2 factor is usually quite complicated, but thanks for mentioning it. – Jakuje Jan 30 '16 at 16:16
  • I have a nice, easy write up for it here –  Jan 30 '16 at 16:19
0

It is always a good idea to change de default port 22 to another one.

Under linux, edit this file /etc/ssh/sshd_config, change the port number by editing this line Port 22, save and restart SSH /etc/init.d/ssh restart

David
  • 1
  • it is usually more complicated than above. It is "security through obscurity". If you are targeted by an attack, using nmap is matter of seconds to find your "safe" "another" port. – Jakuje Jan 30 '16 at 16:15
  • @Jakuje: I'm not saying that changing SSH port is THE solution for maximum safety, just an additional method to avoid basic attacks. – David Jan 30 '16 at 17:24