Hacker News new | ask | show | jobs
by NeutronBoy 3196 days ago
> Security through obscurity is not the solution, though

Security is about layers. Nothing is foolproof. It's about implementing layers of controls to reduce your attack surface to an acceptable level, with the trade-off that many controls increase the complexity of your setup or compromises the convenience for your users.

For example, for SSH, this probably includes

* changing the default port

* enforcing SSH key authentication

* enforcing passwords on SSH keys

* implementing fail2ban

* installing jump hosts for internal machines

* implementing a VPN rather than external facing hosts (and with that comes all the additional layers for the VPN)

* etc...
1 comments
sdeziel 3196 days ago
> * enforcing SSH key authentication

That cannot be enforced by the server because the key decryption occurs client-side. An alternative is to use Two Factor Authentication.

link
e12e 3196 days ago
I think you mean the server can't enforce ssh key encryption/passphrase protection (next point down)?

And 2 or even 3 factor should maybe be on the list (key+pw, key+totp, key+pw+totp).

For keys, it's in theory possible to ease management with using ssh certificates and a CA - anyone know of a convenient way to manage totp secrets across multiple servers and users?

link
sdeziel 3196 days ago
Yeah, I quoted the wrong line.
link