© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Hello Federico,
Wietse is correct. You will not get security benefits from your proposed changes.
Public key authentication, combined with a 2FA mechanism such as TOTP for interactive users, is the current best practice.
IP filtering is a useful tool; you can already have good benefits from allowing the /16 or /24 or whatever address ranges your contractors are expected to be using. That will drastically reduce the number of compromised hosts on the internet that can contact your server and perform password brute-force authentication attempts.
The single best security improvement you can make is disable password authentication in openssh-server and require authorized_keys to log in.
We will not make drastic changes to the design and implementation of tcp-wrappers.
Thanks for your interest in making Ubuntu more secure