Just a quick post about a page I stumbled across, and I merely want to keep it in bookmarks. I was talking to some people to secure public facing SSH servers; and while we have the obvious:
- Only allows SSH2
- Disable root logins
- Use keypairs instead of passwords
- Implement fail2ban
When researching to make internet exposed SSH boxes more secure, I’ve been implementing recently MFA (Multi Factor Authentication). Usually found when you use something you know (password, PIN, …) and something you have (smartcard, keyfob, mobile, mobile app, …). In SSH, this can be achieved with the following; it forces you to authenticate with your keypair AND your password.
Match User johndoe AuthenticationMethods publickey,keyboard-interactive
This, and more tips were found on https://sysconfig.org.uk/two-factor-authentication-with-ssh.html, so check it out.