2 Mar
2018
2 Mar
'18
2:38 p.m.
On Fri, 02 Mar 2018 14:09:38 +0100
Richard Glynos <richardmglynos(a)gmail.com> wrote:
I agree with Keith. I would find it problematic if I
couldn't have
password access to the Xen shell from time to time to resolve
issues. I also use ipset on my VPS which I find flexible and powerful
in keeping unwanted callers out. I'm using port 22 on the VPS but
with key access only.
Something I find useful: libpam-google-authenticator. I seem to remember
you're already using Google Authenticator for other things, Andy, so
it probably wouldn't take much extra work to set up.
I've configured SSH on my VPS (and other Internet facing SSH services)
so that if public key authentication is used, I get straight in, but if
password authentication is used then a Google authenticator challenge is
required too.
That way, the authenticator stays out of the way for most usage, but I can
get in from anywhere using my password, so long as I've got my phone handy.
I don't need to worry about SSH brute force attempts against accounts on
my machines and I just let fail2ban do its thing.
Would that help for access to Xen Shell? It's not a very high extra bar for
people to leap over in emergency cases. Just a thought...
Cheers,
Alun.