SSH

Posted on Sunday March 13, 2016 / by Eric Potvin

SSH can be very helpful when configuring your server, setup domains or anything else you need to do. It also one of the first point of entry of hackers. This is why it is very important to secure your ssh.

The basic rules of hardening ssh are:

Generate SSH Keys

Using password authentication might be a risk if your users uses a weak password.

It is recommended to use ssh keys instead. A ssh keys can contain over 600 random characters. Which makes very difficult to break.

On your local computer

Generate SSH keys on your local machine
cd ~/.ssh
ssh-keygen -t rsa

For each question, simply press the enter key at every prompt. This will output something like (this may vary). This produces two files: id_dsa.pub (public key) and id_dsa (private key).

On your server

Create the folder:

mkdir -p ~/.ssh/

On your local computer

Copy the id_dsa.pub file to your server:

scp -P <yourport> ~/.ssh/id_dsa.pub <username@yourdomain.com>:~/.ssh

On your server

Change the filename and setup permissions:

cd
cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
rm .ssh/id_dsa.pub

Testing

ssh -P <yourport> <username@yourdomain.com>

If you get an error, you might need to run this command on your server:

ssh-add
hardening sshd_config

Hardening SSH is an important step in securing your server. Everything you need to update is located in the file /etc/ssh/sshd_config:

sudo vi /etc/ssh/sshd_config

Users security

Limit Users Access

SSH allows any user to login. Allowing or denying access for specific users can significantly improve your security. It is recommended to specify which users you wan to allow in your system.

To allow users, add or modify the following line:

AllowUsers user_abc user_xyz

You can also deny users:

DenyUser bad_user1 bad_user_2
Disable root Login

It is recommended to deny the root login. Most hackers will try to use this user to login. The root account should never login in your server. You should always use a user with sudo powers instead.

PermitRootLogin no
Disable Empty Passwords

It is recommended to deny any users with empty password on your system.

PermitEmptyPasswords no
Do Not Allow Users to Set Environment Options

To prevent users from being able to present environment options to the SSH daemon and potentially bypass some access restrictions, add or correct the following line:

PermitUserEnvironment no
Hide last login

You can hide who logged last when a user logins.

PrintLastLog no
Restrict SSH Access by IP

If you want to allow SSH connection to be accepted from specific IP addresses, you can add the ListenAddress:

ListenAddress 1.1.1.1
** WARNING: Using this might disable the SSH login if your IP changes.
Disable Password Authentication

Using password authentication might be a risk if your users uses a weak password.

It is recommended to use ssh keys instead. A ssh keys can contain over 600 random characters. Which makes very difficult to break.

Here's how to generate ssh keys.

PasswordAuthentication no

Harden configuration

Only use Protocol 2

Version 1 of the protocol contains security vulnerabilities. Make sure you only use Protocol 2.

Protocol 2
Changing Default port

An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. It is recommeneded to not use 2222 since it is a very common port used by a lot of people.

Port 2345
Disable UseDNS

This might create a latency between the client and the server when trying to establish the connection. You can disable it by using this setting:

UseDNS no
Set Idle Timeout Interval

It is recommended to lower the idle timeout to avoid unattended ssh session.

ClientAliveInterval 300
ClientAliveCountMax 0
Disable .rhosts Files

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts. It is recommended to disable this.

IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
Disable Host-Based Authentication

SSH's cryptographic host-based authentication is slightly more secure than .rhosts authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

HostbasedAuthentication no
Set a login grace timeout

The LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. It is recommended to reduce it.

LoginGraceTime 300
Set maximum startup connections

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. This setting can be helpful against a brute-force script that performs forking.

MaxStartups 2
Disable Forwarding

It is possible to tunnel network connections through an SSH session. This port fowarding techinque is used by hackers to login into systems. This option should be disable.

AllowTcpForwarding no
X11Forwarding no
Log More Information

By default, OpenSSH logs everything at the INFO level. If you want to record more information like failed login attempts, you can change the value of this to VERBOSE.

LogLevel VERBOSE
Strick Mode

Prevent the use of insecure home directory and key file permissions.

StrictModes yes
Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12:

sshd : 192.168.1.2 172.16.23.12

More information available at: http://www.cyberciti.biz/faq/tcp-wrappers-hosts-allow-deny-tutorial/

Restart SSH server

sudo service ssh restart
IMPORTANT: NOT DO Logout of the current session. Make sure you can connect first using another shell window. If you can't login, then re-visit the steps above and make sure everything is correct. IMPORTANT: IF you change your ssh port, make sure you add the rule in the iptables.