You are concerned about security threats, both from the inside and the outside. You are concerned about brute-force attacks on the root account, and you want to restrict users to prevent mischief, whether accidental or deliberate. What can do you to make sure OpenSSH is as hardened as it can be?
OpenSSH is pretty tight out of the box. There are some refinements you can make; take a look at the following steps and tweak to suit your needs. First, fine-tune /etc/sshd_config with these restrictive directives:
ListenAddress 12.34.56.78 PermitRootLogin no Protocol 2 AllowUsers carla foober@bumble.com lori meflin AllowGroups admins
You may want the SSH daemon to listen on a different port:
Port 2222
Or, you can configure OpenSSH to disallow password logins, and require all users to have identity keys with this line in /etc/sshd_config:
PasswordAuthentication no
Finally, configure iptables to filter traffic, blocking all but authorized bits (see Chapter 3).
Specifying the interfaces that the SSH daemon is to listen to and denying root logins, are basic, obvious precautions.
Protocol 2 means your server
will only allow SSH-2 logins, and will reject SSH-1. SSH-1 is old enough, and has enough weaknesses,
that it really isn't worth the risk of using it. SSH-2 has been around
for several years, so there is no reason to continue using the SSH-1
protocol.
AllowUsers denies logins to
all but the listed users. You may use just the login names, or
restrict them even further by allowing them to log in only from
certain hosts, like foober@bumble.com.
AllowGroups is a quick way to
define allowed users by groups. Any groups not named are denied
access. These are normal local Linux groups in
/etc/group.
If you prefer, you may use DenyHosts and DenyGroups. These work the opposite of the
Allow directives—anyone not listed is allowed to log in. Do not mix
Allow and Deny directives; only use one or the other.
Changing to a nonstandard port will foil some of the SSH attacks that only look for port 22. However, determined portscanners will find out which port your SSH daemon is listening to, so don't count on it as a meaningful security measure—it's just a way to keep your logfiles from filling up too quickly.