Hardening SSH Server

SSH  (Secure Shell) is already a secure protocol , these following tips which I have personally collected and tested . Hardening SSH makes it harder against people to get into SSH and do some nasty things. You should ensure that your ssh config . Generally it is located in /etc/ssh/sshd_config . This is a quick guide which I have written on securing SSH. Of course there are other serious guide out there. This is no fuzz , straight to the point guide (more after the jump)

 

Disable root login

This is really asking for trouble – its like putting a sign in front of your house which reads “Rob Me” . Never ever enable root login via SSH. If you want to do something as root , just simply use sudo. Its much more secure and easier.  Its easy , simply set

PermitRootLogin no

Restrict SSH logins with user/group access
If you have a bunch of people in your server , you may want to allow certain people or certain group to login via SSH. Personally , I do not do this for my server as generally there are only 2 users. If you have a huge number probably you want to do. For more information , read about it here (via CyberCiti) .There are a few configuration directives that can accomplish this type of behavior such as AllowUsers

 

Only allow connections from SSH v2

It is simply because the original SSH protocol is no longer deemed safe. Just only allow logins from SSH v2 Clients. You could do this by altering your config file to :-


Protocol 2

Change Default Number

Its because most of the port scanners generally scan from 1-1024 , of course there are others which scan ports like 2222 and other famous alternative SSH ports.If you use a non-standard SSH port number , you are reducing your probability from being picked on by some random scans. To do it simply change the default port number to something else , in this case , it is changed to 3999

 

Port 3999

Use Public/Private Key Instead of Password

Its simple , you generate a public-private key pair. The server would have your public key (after all its a public key) and you would have a private key. Whenever you login , instead of typing password you will present the server with your certificate ,server validates and bam you are in. But then this prevents from someone knowing your password. Of course it comes with its own disadvantages , if your client PC (whereby private keys are stored) becomes compromised , pretty much you are dead. Another downside if you have a huge number of users , you would have to generate public/private key and give it to each one of them .To learn more about setting up private/public key setup instead of password , read here.

 

Using Google authenticator (two-factor authentication) 

Its pretty much similar to using two-factor authentication with WordPress like what I have discussed earlier. Instead of just entering a password , you would have to enter your “authentication code”. Its much like how online banking works in Europe and in Malaysia , its similar to our PAC number . It makes it impossible for people just to know your password. They need to know your password code as well. This adds another layer of security. Some argue that PAM module itself is not secure. Its up to you if you want it or not. Personally I use it when I don’t have a certificate , so when no certificate is installed , my SSH server would ask to enter password/authenticator code. You can learn more about how to set it up here 

 

Disable Host-Based authentication & Reject Empty Password

Host-based authentication is simple , if the username of the client matches of the server , it simply allows the client to login without the need of password. I don’t see the point of this , so suppose if I am logged as ‘poochi’ in my MacBookPro and I have the same user in server , it simply allows me to SSH into my server without the need of password. Secondly , you should reject users with empty password. In fact you should not permit users to have empty password in first place

PermitEmptyPasswords no
HostbasedAuthentication no

 

Disable rhosts

You don’t need your SSH server to emulate old protocols . Just disable it

IgnoreRhosts yes

 

My Setup

Basically I allow password-less login if the server is being accessed by LAN. As for over the Internet , I enable Google’s two-factor authentication and password login. I also use fail2ban . It prevents brute-force attacks and the same time I can login to my server virtually anywhere as well. If needed I’ll post my ssh config (just post in comments if you need it)

 

 

Further reading

Oh yes , there are few things that you need to do as well to make it much secure and it varies from one configuration to another. Here are few recommended reading that I would encourage you to check it out if you would like to learn more

http://signalboxes.net/wp-content/uploads/kalins-pdf/singles/hardening-ssh.pdf

http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

https://doc.maflt.org/@api/deki/pages/408/pdf

3 thoughts on “Hardening SSH Server”

  1. Hi Prasys,

    Thanks so much for this concise but helpful guide! Been asking around for tips on how to harden my SSH, and none of my other sources had these many great tips, especially the Google Authenticator! :twisted:

    Anybody know where the irc.osx86.hu Hackintosh channel went? As of the writing of this comment, I tried accessing it, but it came up w/ a bunch of Albanian channels… :?: :sad:

    Thanks,
    Xanthippus

  2. I’d like to see your config and maybe a redacted version of your iptables and fail2ban configuration if possible?

  3. First of all I want to say terrific blog! I had a quick question which I’d like
    to ask if you don’t mind. I was curious to know how you center yourself and clear your head before writing.
    I’ve had a difficult time clearing my mind in getting my ideas out.
    I do take pleasure in writing however it just seems like the
    first 10 to 15 minutes are usually wasted simply just trying to figure out how to
    begin. Any ideas or tips? Kudos!
    https://www.facebook.com/tactixmarketing´s last blog post ..https://www.facebook.com/tactixmarketing

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge