Introduction Secure Shell (SSH) is a protocol used to provide secure and encrypted communication over a network. It is most widely used by Linux system administrators for remote server management. It can also be used to transfer files over a network. Therefore, SSH security is very important.
Requirements A server running Ubuntu v. 14.04 A desktop machine running Linux (suggested) Installing SSH To install the SSH server on your server, run the following command:
sudo apt-get install openssh-server To install the SSH client on your desktop, run the following command:
sudo apt-get install openssh-clientConfigure SSH To Log In With SSH Keys Instead Of A Password Using passwords for SSH authentication is insecure. If one of your users sets a weak password, your server can be compromised. To avoid this, you can use ssh key for authentication without a password.
Generate SSH Keys To generate SSH keys on your client machine, run the following command:
cd ~/.ssh ssh-keygen -t rsaSimply press the enter key at every question. This will produce two files: idrsa.pub (the public key) and idrsa (the private key).
This will output something like.
ssh keygen
Create An SSH Folder
On your server, create the folder for SSH with the command:
mkdir -p ~/.ssh/ Copy The Public Key File To Your Server On your desktop, copy the id_dsa.pub file to your server using the following command:
scp -P "ssh-port" ~/.ssh/id_dsa.pub username@serverip-address:~/.ssh Update The Public Key File Change the filename and permissions:
cat ~/.ssh/idrsa.pub >> ~/.ssh/authorizedkeys chmod 700 .ssh chmod 600 .ssh/authorizedkeys rm .ssh/idrsa.pub Now you can log into your SSH server without a password.Run the following command from your desktop to test it.
ssh -P "ssh-port" username@serverip-address Secure The SSH Configuration File You can change the default security options by editing /etc/ssh/sshd_config.
sudo nano /etc/ssh/sshd_config Here are some suggestions for default settings that you may want to change.
Once you have made your changes, be sure to save and exit the sshd_config file and restart the SSH server with:
sudo service ssh restart
Change The Default SSH Port
By default, most servers listen for SSH connections on port 22. Hackers can use a port scanner to find whether an SSH service running or not. So it is recommended to change the default port.
To change default port from 22 to 8908, change the following line:
Port 8908 Use SSH2 SSH protocol 1 (SSH1) contains many security vulnerabilities. Using protocol 2 (SSH2) instead is strongly recommended.
By default, SSH2 should be set. If not then change the Protocol line to use SSH2.
Protocol 2 Use A Whitelist And A Blacklist To Limit User Access Using a whitelist to allow specific users SSH access, and a blacklist to disallow other users, will improve your SSH security.
To allow validuser1 and validuser2, add the following line:
AllowUsers validuser1 validuser2 To deny baduser1 and baduser2, add the following line:
DenyUser baduser1 baduser2 Disable Root Login A common attack is to attempt to use root to log into a server with SSH. Since this is a big security risk, disable root SSH login by changing PermitRootLogin from without-password to:
PermitRootLogin no Hide Last Login You can hide last login user by editing the following line.
PrintLastLog no Restrict SSH Logins To Specific IP Addresses By default SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a connection from a specific IP address, you can add a ListenAddress line.
For example, if you want to only accept SSH connections from IP address 192.168.1.2 you would add the line:
ListenAddress 192.168.1.2 Disable Password Authentication Password authentication in SSH is a big security risk if your user sets a weak password. See this section for instructions on how to set up SSH key authentication
To disable password authentication change the PasswordAuthentication line to read:
PasswordAuthentication no Disable .Rhosts By default SSH doesn't allow rhosts. The .rhosts files specify which users can access the r-commands (such as rcp and rsh) on the local system without a password.
To disable rhosts:
IgnoreRhosts yes RhostsAuthentication no RSAAuthentication yes Disable Host-Based Authentication SSH's host-based authentication is more secure than rhosts authentication. However, trusted hosts are still considered a security risk.
By default the HostbasedAuthentication option is disabled, if not then change the following line:
HostbasedAuthentication no Set A Login Grace Timeout The "LoginGraceTime" specifies how long after a connection request the SSH server will wait before disconnecting. The recommended value for login grace timeout is 60 seconds.
You can change this value by editing following line:
LoginGraceTime 60 Set Maximum Startup Connections Limiting the maximum number of concurrent connections to the SSH daemon can help protect your SSH server from a brute force attack.
You can set this value by editing following line to the number of concurrent connections you want to allow. For this example, we have chosen 2:
MaxStartups 2 Disable Forwarding Hackers can user port forwarding technique to tunnel network connections through an SSH session to login into systems.
To disable this change the following lines:
AllowTcpForwarding no X11Forwarding no Log More Information By default, SSH logs everything. If you want to log more information like failed login attempts. you can change the value from INFO to VERBOSE.
For this change the following line:
LogLevel VERBOSE Disable Empty Passwords You will want to deny login to users with an empty (blank) password.
By default this option is disabled, if not then change the following line:
PermitEmptyPasswords no Set Idle Timeout Interval SSH allows users to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.
You can set the number of seconds by adding the following line:
ClientAliveInterval 300 ClientAliveCountMax 0 Restart SSH For The Changes To Take Effect Once you have finished editing the /etc/ssh/sshd_config file, save and exit the fire, then restart the SSH server:
sudo service ssh restart Secure SSH Using TCP Wrappers TCP wrapper provides host-based access control to network services, which is used to filter network access to the internet.
You can allow SSH only from the IP addresses 192.168.1.100 and 172.16.20.10 IP's by editing the /etc/hosts.allow file.
sudo nano /etc/hosts.allow Add the following line:
sshd : 192.168.1.100 172.16.20.10
Secure SSH Using Iptables You can restrict SSH connection to only allow authorized IP addresses.
To allow SSH connections only from 192.168.1.200 run the following command:
sudo iptables -A INPUT -p tcp -m state --state NEW --source 192.168.1.200 --dport 8908 -j ACCEPT To disable SSH connection from all other hosts run the following command:
sudo iptables -A INPUT -p tcp --dport 8908 -j DROP Now save your new rules using following command:
sudo iptables-save > /etc/iptables/rules.v4