Securing Secure Shell (SSH)

Expertise level: Medium

Secure Shell (SSH) is one of the most useful ways to connect remotely to a Linux server. With an SSH connection, you can administer your server remotely using the full power and flexibility of the command line interface. As a result, however, SSH can be vulnerable to attack by malicious individuals. While the SSH protocol is fairly secure by default, it is always possible to improve the security of your SSH configuration.

iWeb recommends having a KVM/IP switch attached to your server before modifying your SSH configuration file. KVM/IPs can be ordered with 24 hours notice, free of charge.

To modify your SSH configuration, you will need to edit it as root, whether by using "su" or "sudo". Simply edit the following file, using your chosen editor:

/etc/ssh/sshd_config

Please note that iWeb does not provide security services; these recommendations are considered as 'best practices' within the IT industry as a general whole, but cannot and will not be considered as providing 100% security.

In these commands, the '#' symbol is used to comment out the default value. In other words, putting the hash mark ('#') at the beginning of the line means the line will be ignored. Simply add the new line, here displayed in bold, directly below the original line.

Change the default port

By default, SSH uses port 22, but it is possible to change the port number. This will make it more difficult to attack your server using SSH, as an attacker would first need to locate and identify the port. You can choose any number higher than 1024 and lower than 65535. (Ports 1 through 1024 are reserved, and 65535 is the highest possible port number.) Please change the following lines:

#Port 22
Port 5555

Replace '5555' with your own port number. This information should be made available only to your system administrator and iWeb technical support.

Enforce the newer, more secure Version 2 SSH protocol

There are two versions of the SSH protocol. Version 2 is the newer one, and it has been greatly enhanced to improve security.

#Protocol 2,1
Protocol 2

By selecting only protocol 2, you will only be able to connect using the newer, more secure protocol.

Restrict access to specific users

Restricting access to a small list of users makes it much more difficult for hackers to connect, as they must first discover usernames before attempting to connect, rather than attempting a list of common user names.

AllowUsers alice bob charlie

In this case, the users named alice, bob, and charlie are the only ones who will be able to connect. Simply replace them with your own user names. Note that Linux is case sensitive, so in this case, alice and Alice would be considered two different user names.

We strongly recommend adding 'sshadmin' and 'techiweb', while not adding 'root'.

Disable direct access by root

As long as you can use "sudo" or "su", there is no need for direct access by the 'root' user. Disabling direct access as root will make it harder for malicious individuals to log in as an administrator.

#PermitRootLogin yes
PermitRootLogin no

By restricting access and explicitly disallowing root, it is only possible to administer your server by first logging in from another user, and then assuming administrator rights. This ensures that malicious individuals must compromise two different accounts before being able to attack your server.

Reduce login time

By default, ssh will allow a user to open a connection and hold it open for 2 minutes without logging in successfully. This is a very long time, and can allow an attacker the opportunity to run a large number of 'brute force' attacks against your server. A maximum of 30 seconds is more than enough for legitimate users to log in.

#LoginGraceTime 2m
LoginGraceTime 30

After 30 seconds without a successful login, your server will automatically close the connection.

Save and reload ssh

Before any of these settings can be applied, be sure to save the changes, and then restart the ssh service. You can restart ssh by running the following command:

/etc/init.d/sshd restart

After restarting ssh, it is strongly recommended that you attempt to open a second concurrent connection before disconnecting. This will allow you to test if the new connection is successful, and to reverse any changes if necessary.

Other security configurations

These changes are not made to the SSH configuration file, but can significantly improve the security of your SSH installation.

Enforce strong passwords using PAM

PAM, or the Pluggable authentication module, has tools to enforce strong passwords. A strong password is one that cannot be easily guessed, and which contains a mix of letters and numbers.

In Debian or Ubuntu, open the following file in your chosen editor:

/etc/pam.d/common-password

 In CentOS, Fedora, or other RedHat-based distributions, open this file:

/etc/pam.d/system-auth

In the file you have opened, add this line:

password requisite pam_cracklib.so retry=3 minlen=10 difok=3 dcredit=-1 ucredit=-1 lcredit=-1

After enabling these changes, users will be given three options to attempt to log in successfully, after which they will be disconnected or returned to their normal shell prompt. In addition, passwords will have a minimum length of 10 characters. Passwords must also have three characters' difference from the previous password, and must have one digit, one upper case character, and one lower case.

You can change these settings at any time, for example, to require 12 instead of 10 characters, or to enforce a different minimum number of digits.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk