HOWTO Secure SSH

HOWTO Secure SSH

From Consultancy.EdVoncken.NET

Jump to: navigation, search

Congratulations, you have replaced Telnet, Rlogin, Rsh with the vastly more secure Secure Shell. This means you can sleep safely now, or not?

In early 2009, a massive Distributed Brute Force attack was underway against Secure Shell (22/TCP). My logs were overflowing with thousands of attempted logins, and the probes continue to this day.

In light of these continued scans and attacks, it is smart to implement one or more additional security controls.

Contents

Methods for improving SSH server security

SSH Server Configuration

Disable SSH protocol v1
Version 1 was inherently flawed. Only allow SSH protocol v2 connections.
Disable "username/password" logins altogether
Only allow login using key-pairs.
Insist that people choose proper passwords and passphrases
Yes, also on their key-pairs. This is very difficult if not impossible to implement and audit.
Move SSH to a port other than 22/TCP
By itself, this does not improve security, but it makes your SSH installation a lot harder to find. This is an advantage when defending against "script kiddies". The downside is, that remote connections may be prevented by firewalls at the client side (e.g. a company firewall) since they may only allow outgoing SSH traffic to port 22/TCP.

Other security measures

Enable SELinux
An Internet-facing server running Linux should use SElinux for an extra layer of security. This is the default setting on modern Red Hat / Fedora based installations.
Set up firewall rules
Only allow connections from known-good IP addresses. This helps quite a bit, but makes life hard on roaming users. Rate-limiting may also help reduce the effectiveness of brute-force attacks.
Install DenyHosts
DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. Future break-in attempts from these hosts are blocked using TCP Wrappers.
Implement "port knocking"
The remote client sends an authentic sequence of network packets in order to manipulate the server's firewall rules to open one or more specific ports. Again, this is a great way of "hiding" your network services, but it requires special "port knocking" software on each client.

Configuration Details

SSH Server Configuration

The following options help improve security on your SSH server (/etc/ssh/sshd_config): 

 ## Global SSH server configuration: ##
 
 # Disable old SSHv1 protocol
 Protocol 2
 
 # Only listen on IPv4 address, prevent accidental access through IPv6:
 AddressFamily inet
 
 
 ## Restrict or completely disable access to the root account - choose only one: ##
 
 PermitRootLogin without-password         # Root access permitted via "authorized_keys" only
 PermitRootLogin forced-commands-only     # Only allow forced commands in "authorized_keys" (e.g. for backups)
 PermitRootLogin no                       # Root access prohibited
 
 
 ## Restrict authentication methods to "authorized keys" - no more passwords: ##
 
 PubkeyAuthentication yes
 
 # Disable rhosts and hosts.equiv methods
 HostbasedAuthentication no
 IgnoreRhosts yes
 
 # Disable tunneled cleartext passwords
 PasswordAuthentication no
 PermitEmptyPasswords no
 
 # Disable Kerberos and GSSAPI methods
 KerberosAuthentication no
 GSSAPIAuthentication no
 
 # Disable PAM authentication, but keep account and session processing
 ChallengeResponseAuthentication no
 UsePam yes
 
 # Since we don't need to wait for password entry, we can be very strict about authentication
 LoginGraceTime 1m
 MaxAuthTries 1
 MaxStartups 10
 StrictModes yes
 
 # Limit potential impact of Brute-Force attacks
 AllowUsers alice bob@trustedhost.example.com
 
 # Limit potential privilege escalation
 UsePrivilegeSeparation yes

You may also want to remove (or comment out) the following options, if they exist: 

 # AcceptEnv

Check the sshd_config(5) manual page for more information about each option.

Other Security Measures

The following firewall rules (in /etc/sysconfig/iptables) implement basic protection for your SSH server: 

 # Allow new Secure Shell connections, rate limited at 3 connections per minute
 -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j LOG --log-prefix "[ACCEPT SSH-IN] : "
 -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
 -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j LOG --log-prefix "[REJECT SSH-IN] : "
 -A RH-Firewall-1-INPUT -p tcp --dport 22 --syn -j DROP

See Also:

Retrieved from "http://consultancy.edvoncken.net/index.php/HOWTO_Secure_SSH"