Share, , Google Plus, Pinterest,

Print

Posted in:

Securing SSH Server – sshd_config

Secure Shell (SSH) is a cryptographic network protocol for secure data communication. SSH is widely used on linux machines for console access and remote management. It is a server – client oriented network protocol which enables a secure communication between two network computers. The port on which SSH Server runs by default is 22.

If you want to connect to an SSH Server you need to use SSH client. Linux by default includes SSH client which you run from Linux console, same with Apple OS X. If you are running Windows, you should download an SSH Client – most widely used is Putty, but there are also other similar programs out there…

If you are running SSH server on a computer and it is openned out on the internet it is advised to use extra security measures to make SSH server even more secure and not susceptible to a variety of possible attacks. This is what we will focus on in this how to.

Securing SSH Server
Securing SSH Server

Let’s Secure Our SSH Server!

Configuration Files Locations

  • /etc/ssh/sshd_configSSH Server Configuration File
    This is the main SSH Server configuration file. By default most of lines are commented out which means that default value apply. Please note, that every change in this file requires an SSH server configuration reload of SSH service restart.
  • /etc/ssh/ssh_configSSH Client Configuration File
    This is the SSH Client configuration file. This file configuration get’s read or used whenever we connect to a remote SSH server.
  • ~/.ssh/User Specific SSH Configuration Directory (hidden directory)
    This is where the user specific SSH configuration files are stored. It is possible that this folder does not exist since no action was taken that would require or create this directory. This folder will be created if you run “ssh-keygen” and your private and public RSA key will be loaded into it (usually id_rsa and id_rsa.pub). This is also a location where “authorized_keys” file is stored which enables passwordless SSH login – key authentication.

1. Change SSH Server Port

First and most important rule is – change SSH server port!! There are lot’s of bot’s out there, constantly scanning the machines on the internet. And most of these bot’s “only” scan well known port numbers so yes, changing the port your SSH server runs on can eliminate 90% of attacks!!

Please note – if you are running iptables you should re-configure it to allow SSH connections on the new port!

Find the “Port” line in /etc/ssh/sshd_config (by default it is commented out which means default applies which is 22):

#Port 22

Uncomment and change the port number to something above 1024 (please make sure you will not make a conflict with some other service running on this machine!):

Port 8022

Save configuration file and restart SSH service:

[root@geekpeek ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service

We can confirm we are running SSH Server on port 8022 with the following command:

[root@geekpeek ~]# netstat -anp |grep 8022
tcp 0 0 0.0.0.0:8022 0.0.0.0:* LISTEN 1982/sshd
tcp6 0 0 :::8022 :::* LISTEN 1982/sshd

2. Disable root Login via SSH

This is also one of the most important rules! All of the bot’s know, root user almost certainly exists on the machine, so brute-forcing the root password is a common and most successfull practice! Just create another user and immediately disable root login.

Find the “PermitRootLogin” line in sshd_config:

#PermitRootLogin yes

Uncomment it and change the value to “no”:

PermitRootLogin no

Save configuration file and restart SSH service.

3. Only use SSH Protocol 2

Since SSH protocol 1 is insecure we need to force SSH server to always use protocol 2.

Find the “Protocol” line which is probably commented out:

#Protocol 2

..and uncomment it:

Protocol 2

Save configuration file and restart SSH service.

4. Change SSH Server Listen Address

By default SSH Server listens on all available interfaces which is in some cases not OK. It is always best, to limit SSH server to listen only on interfaces we want and use for to connect to.

Find the line “ListenAddress” line:

#ListenAddress 0.0.0.0

..and uncomment it and enter the ip address you want your SSH server to listen on:

ListenAddress 192.168.1.96

Save configuration file and restart SSH service.

We could see in “Step 1” that my SSH server listened on ipv6 address too, let’s check the situation now by running the same “netstat” command again:

[root@geekpeek ~]# netstat -anp |grep 8022
tcp 0 0 192.168.1.96:8022 192.168.1.20:42454 ESTABLISHED 2005/sshd: root@pts

..much better, see!?

5. Disconnect Idle Users

Sometimes users “go away” from their computers without locking them ($%&/ grrr) but stay connected to the server via SSH. This is of course a security risk since anyone passing by this unlocked computer could start messing with it! This is why it is good to disconnect idle users after certain amount of time.

To configure this find the following two lines in sshd_config:

#ClientAliveInterval 0
#ClientAliveCountMax 3

Uncomment them and configure as desired (see parameter explanation below!):

ClientAliveInterval 45
ClientAliveCountMax 3

Save configuration file and restart SSH service. This configuration will disconnect user if idle for more that 3 x 45sec = 135sec.

Parameter Explanation:

ClientAliveInterval: Sets a timeout interval in seconds (30) after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

ClientAliveCountMax: Sets the number of client alive messages (5) which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session.

6. Max Authentication Tries

We want to configure max authentication tries for our users. This means that a user is only allowed to put in his password N-1 times. If he writes in wrong password N-1 times he will be disconnected and will have to connect again. This is also good for bot’s brute-forcing our passwords.

To do this find the line “MaxAuthTries”:

#MaxAuthTries 6

Uncomment it and put in value 4:

MaxAuthTries 4

Save configuration file and restart SSH service.

7. Allow Users

You should only allow SSH connection to the server to the users you want.

We need to add the following line to SSH configuration file (you can put it at the end of the file):

AllowUsers geekpeek

Save configuration file and restart SSH service.

You can add more users of course. We can specify multiple users separated by spaces.

8. Disable Empty Passwords

Sometimes a certain user account on the server might not have set a password or has empty password. We always want to disable these users connecting to our SSH server. We can do this as follows.

Find the line “PermitEmptyPasswords”:

#PermitEmptyPasswords no

and uncomment it:

PermitEmptyPasswords no

9. Ignore Rhosts

This is related to the obsolete rsh command which behaviour SSH can emulate. We want to disable this option for security reasons.

Find line “IgnoreRhosts”:

#IgnoreRhosts yes

..and uncomment it:

IgnoreRhosts yes

Save configuration file and restart SSH service.

10. Message Of The Day

We can configure a message of the day (welcome message) for users trying to connect to our machine. You can put anything you like in MOTD but usually MOTD is a “warning” about connecting to the machine like:

ALERT! You are entering into a secured area! Your IP, Login Time, Username has been noted and has
been sent to the server administrator! This service is restricted to authorized users only. All activities
on this system are logged.Unauthorized access will be fully investigated and reported to the appropriate
law enforcement agencies.

We can configure this by adding the desired message into /etc/motd file. Find this line in sshd_config:

#Banner none

..uncomment it and point to motd file:

Banner /etc/motd

Save configuration file and restart SSH service.

11. Log All Information

Last but not least, configure SSH server to log INFO level information. Since SSH is an entry point to our server it is suggested to log as much as possible – you will be thankful to me when you run into a problem, believe me!

Find line “LogLevel”:

#LogLevel INFO

Uncomment it:

LogLevel INFO

Save configuration file and restart SSH service.

This is some parameters to get you started and make your SSH Server a bit more secure. There is definitely room for improvement and additional parameters that could be tweaked! I strongly suggest, you use “key authentication” to connect to your SSH Server but this will be a topic for a new how to.