SSH

SSH can be very helpful when configuring your server, setup domains or anything else you need to do. It is also one of the first point of entry of hackers. This is why it is very important to secure your ssh.

The basic rules of hardening ssh are:

No password for ssh access (use private key)
Don't allow root to ssh (the appropriate users should ssh in, then su or sudo)
Use sudo for users so commands are logged
Log unauthorised login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)
Lock down ssh to only the ip range your requirement (if you feel like it)

Generate SSH Keys

Using password authentication might be a risk if your users uses a weak password.

It is recommended to use ssh keys instead. A ssh keys can contain over 600 random characters. Which makes very difficult to break.

On your local computer

Generate SSH keys on your local machine

cd ~/.ssh
ssh-keygen -t rsa

For each question, simply press the enter key at every prompt. This will output something like (this may vary). This produces two files: id_dsa.pub (public key) and id_dsa (private key).

On your server

Create the folder:

mkdir -p ~/.ssh/

On your local computer

Copy the id_dsa.pub file to your server:

scp -P <yourport> ~/.ssh/id_dsa.pub <username@yourdomain.com>:~/.ssh

On your server

Change the filename and setup permissions:

cd
cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
rm .ssh/id_dsa.pub

Testing

ssh -P <yourport> <username@yourdomain.com>

If you get an error, you might need to run this command on your server:

ssh-add

hardening sshd_config

Hardening SSH is an important step in securing your server. Everything you need to update is located in the file /etc/ssh/sshd_config:

sudo vi /etc/ssh/sshd_config

Users security

Limit Users Access

SSH allows any user to login. Allowing or denying access for specific users can significantly improve your security. It is recommended to specify which users you want to allow in your system.

To allow users, add or modify the following line:

AllowUsers user_abc user_xyz

You can also deny users:

DenyUser bad_user1 bad_user_2

Disable root Login

It is recommended to deny the root login. Most hackers will try to use this user to login. The root account should never log in your server. You should always use a user with sudo powers instead.

PermitRootLogin no

Disable Empty Passwords

It is recommended to deny any users with empty password on your system.

PermitEmptyPasswords no

Do Not Allow Users to Set Environment Options

To prevent users from being able to present environment options to the SSH daemon and potentially bypass some access restrictions, add or correct the following line:

PermitUserEnvironment no

Hide last login

You can hide who logged last when a user logins.

PrintLastLog no

User login attempt

Set a maximum number of attempt with specific login grace time (in seconds) to prevent certain denial-of-service attacks

MaxAuthTries 3
LoginGraceTime 20

Forwarding

disable several miscellaneous options related to tunneling and forwarding

AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

Restrict SSH Access by IP

If you want to allow SSH connection to be accepted from specific IP addresses, you can add the ListenAddress:

ListenAddress 1.1.1.1

** WARNING: Using this might disable the SSH login if your IP changes.

Disable Password Authentication

Using password authentication might be a risk if your users uses a weak password.

It is recommended to use ssh keys instead. A ssh keys can contain over 600 random characters. Which makes very difficult to break.

Here's how to generate ssh keys.

ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes

Harden configuration

Only use Protocol 2

Version 1 of the protocol contains security vulnerabilities. Make sure you only use Protocol 2.

Protocol 2

Changing Default port

An effective method is to run ssh on a non-standard port. Any unused port will do, although one above 1024 is preferable. It is recommended to not use 2222 since it is a very common port used by a lot of people.

Port 2345

Disable UseDNS

This might create a latency between the client and the server when trying to establish the connection. You can disable it by using this setting:

UseDNS no

Set Idle Timeout Interval

It is recommended to lower the idle timeout to avoid unattended ssh session.

ClientAliveInterval 300
ClientAliveCountMax 0

Disable .rhosts Files

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts. It is recommended to disable this.

IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes

Disable Host-Based Authentication

SSH's cryptographic host-based authentication is slightly more secure than .rhosts authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

HostbasedAuthentication no

Set a login grace timeout

The LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. It is recommended to reduce it.

LoginGraceTime 300

Set maximum startup connections

Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. This setting can be helpful against a brute-force script that performs forking.

MaxStartups 2

Disable Forwarding

It is possible to tunnel network connections through an SSH session. This port forwarding technique is used by hackers to login into systems. This option should be disabled.

AllowTcpForwarding no
X11Forwarding no

Log More Information

By default, OpenSSH logs everything at the INFO level. If you want to record more information like failed login attempts, you can change the value of this to VERBOSE.

LogLevel VERBOSE

Strict Mode

Prevent the use of insecure home directory and key file permissions.

StrictModes yes

Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does support TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12:

sshd : 192.168.1.2 172.16.23.12

More information available at: http://www.cyberciti.biz/faq/tcp-wrappers-hosts-allow-deny-tutorial/

Restart SSH server

sudo service ssh restart

IMPORTANT: NOT DO Log out of the current session. Make sure you can connect first using another shell window. If you can't log in, then re-visit the steps above and make sure everything is correct. IMPORTANT: IF you change your ssh port, make sure you add the rule in the iptables.

Allow specific users

Limit who can access the server by allowing specific users by using the AllowUsers flag.

Here some examples:

Restrict by IP address:

AllowUsers *@1.2.3.4

Allow specific users

AllowUsers john@1.2.3.4 jane@1.2.3.5

test your new configuration

Before logout, make sure your ssh configuration works.

To test, simply run:

sudo sshd –t

If this command is executed successfully, it will not display anything

Reload

Make sure to reload your configuration

sudo service sshd reload