If you've done the first step, passwordless authentication,
your ssh server is now set up to authenticate users with only keys, no passwords. Great!
The only problem is, you still have those bots banging on the ssh port like no other. Personally,
I get bothered reading through my log files and having to skip a few hundred lines of
Failed password for invalid user boball the time.
The easiest way to solve this problem is using hosts.allow and hosts.deny. For such an easy solution, of course, we will need some easy assumptions: you want to log in from one IP address or group of addresses only, and you will know before hand what those are. Meaning, you don't have a life, you can easily predict where you'll be. That sounds like my life, so that works for me.
The idea behind the hosts file is simple: if a rule is matched in hosts.allow, the client is granted access; if not, hosts.deny is checked, if a rule matches, the client is denied access; if its not there, the client is granted access, no questions asked.
Again, simplicity is the key here. Start with hosts.allow. Edit it in your favorite editor (ed, for
example, never goes out of style). Whatever else is in there, allow yourself access:
sshd: 192.168.What's this? An incomplete address? Sure thing. This allows ALL IPs that start with 192.168. to use ssh.
Now, deny access to everyone else. Edit hosts.deny, and add the following:
sshd: ALLNOW you're behaving like the hermit you ought to be. No one should be knocking on that door, anyhow.
These changes take effect immediately. You'll find this out as soon as Bill from HR calls and says he
can't get in two seconds after you save hosts.deny. Better add the office's subnet, too. The beauty of
hosts.allow is that you can add as many lines as you'd like. I've had one that looks this good:
sshd: 10.1.1. sshd: 10.1.2. sshd: 10.4.1. sshd: 192.168.
Simple is the key with this. First, hosts.allow is processed. If there's not a service/client match, we proceed to hosts.deny, which says EVERYONE is denied access to sshd. Finally, all of those bots outside your network of trust are eliminated. And all of the bots within your network have users. And those users are within LART distance. How sweet it is!
Coming soon... roam where you want, kick out brute forcers with some iptables kludges.