Securing the SSH to the main machine? Changing SSH port and adding a certificate

[YBEY]

Hey guys.
Im our organization we are worried about the open SSH port to the main machine.

We wanted to change the port but was told it might cause many issues.

so i wanted to ask:
1. Can we add a certificate to the SSH so that only specific computers can log into the ssh
2. Are there any other security measures you take and can recommend?

thank you!

 

[t.lamprecht]

Hello,
you could use the Firewall to secure it, go to Datacenter->Firewall and add a two rules the first at the source 0.0.0.0/32 (all ipv4 addresses) witch drops everything with the SSH makro, and the another rule for your local network (e.g.: 192.168.1.0/24) which accepts everything, also with the SSH Makro.
So you can't connect to port 22 from outside. You also have to enable the firewall in the Options tab.
That would be a good measure.

EDIT: You could also define a IPSet (with your local net for example) and set it to nomatch (so it matches everything but that net), then add a rule whith DROP and the SSH makro on the IPSet.
The firewall is quite configurable and you have a lot of options/possibilities here.

 

[YBEY]

That is an awesome recommendation! and i will do it.
will putting the filewall in the datacenter block SSH to ALL the machines except "accept" rule? or only to the host machine?
because i would like people to be able to connect from their home to the VM's (not host)

regarding me previous question, will the proxmox work if i use an ssh certificate?

 

[t.lamprecht]

No it will apply to all. Datacenter is above Node and Node is above VM level regarding priority. So maybe not that suited, especially if your user have dynamic IP's. Else you could add them also as accept rule.

Yes should work, don't see a problem here at the moment.