SSH Security Configuration Best Practices
Login | Register RSS
10/05/2014 - Linux 

SSH Security Configuration Best Practices

For anyone who has used Linux for some time can tell you, SSH access is one of the most powerful ways a user can can remotely administrate & access a given system. With that said, many good systems administrators are nervous about some of the security implementations for SSH usage and functions. Even though newer Linux distros have preconfigured SSH access in a more secure manner out of the box, here is a list of processes and configurations that could further help you tighten and enhance your SSH security.

Warning: Do not randomly apply these adjustments or commands without first understanding what they do. The below information is provided as reference material, on where and how the changes could be applied in many Linux distros. However your network, system config, Linux distro and/or specific usage needs may not exactly match what is shown. As such, you may be required make adjustments to use the below properly within your own system's specific usage context. Always consult all relevant documentation of your selected operating system to validate each adjustment/command, before implementation. Failure to do so, could result in your system becoming unstable, less secure or completely inaccessible.

Restrict the root account to console access only:

# vi /etc/ssh/sshd_config
PermitRootLogin no

Create private-public key pairs using a strong passphrase and password protection for the private key:
(* Never generate a password-less key pair or a password-less passphrase key-less login)

(Use a higher bit rate for the encryption for more security)
ssh-keygen -t rsa -b 4096

Configure TCP wrappers to allow only selective remote hosts and deny undesirable hosts:

# vi /etc/hosts.deny
ALL: 192.168.200.09 # IP Address of badguy

On workstations or laptops, disable the SSH server by turning off the SSH service, and then removing the ssh server package:

# chkconfig sshd off
# yum erase openssh-server

Restrict SSH access by controlling user access:

# vi /etc/ssh/sshd_config
AllowUsers santa ebunny jesus
DenyUsers ahacker thedevil jripper

Only use SSH Protocol 2:

# vi /etc/ssh/sshd_config
Protocol 2

Don't allow Idle sessions, and configure the Idle Log Out Timeout interval:

# vi /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0

* Note: 600 seconds = 10 minute

Disable host-based authentication:

# vi /etc/ssh/sshd_config
HostbasedAuthentication no

Disable users' .rhosts files:

# vi /etc/ssh/sshd_config
IgnoreRhosts yes

Configure firewalls to accept SSH connections only from know network segments:

Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only from 192.168.100.0/24 and 209.64.100.5/27, enter:
-A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT

Restrict the available interfaces that SSH will listen on and bind to:

# vi /etc/ssh/sshd_config
ListenAddress 192.168.100.17
ListenAddress 209.64.100.15

Set user policy to enforce strong passwords to protect against brute force, social engineering attempts, and dictionary attacks:

# < /dev/urandom tr -dc A-Za-z0-9_ | head -c8
oP0FNAUt[

* Note: Here are other methods to generate random passwords.

Confine SFTP users to their own home directories by using Chroot SSHD:

# vi /etc/ssh/sshd_config
ChrootDirectory /data01/home/%u
X11Forwarding no
AllowTcpForwarding no

Disable empty passwords:

# vi /etc/ssh/sshd_config
PermitEmptyPasswords no

Rate-limit the number of incoming port 2022 connections within a specified time:

Redhat iptables example (Update /etc/sysconfig/iptables):
-A INPUT -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT

-A INPUT -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT

Configure iptables to allow only three connection attempts on port 2022 within 30 seconds:

Redhat iptables example (Update /etc/sysconfig/iptables):
-I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set
-I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DR

Use a log analyzer such as logcheck, loggrep, splunk, or logwatch to better understand the logs and create logging reports.
(* Also, increase logging verbosity within the SSH application itself.)

Installation of the logwatch package on Redhat Linux
# yum install logwatch

Configure an increase in SSH logging verbosity:

# vi /etc/ssh/sshd_config
LogLevel DEBUG

Always keep the SSH packages and required libraries up to date on patches:

# yum update openssh-server openssh openssh-clients -y

Conceal the OpenSSH version, require SSH source code, and re-compile. Then, make the following updates:

# vi /etc/ssh/sshd_config
VerifyReverseMapping yes # Turn on reverse name checking
UsePrivilegeSeparation yes # Turn on privilege separation
StrictModes yes # Prevent the use of insecure home directory and key file permissions
AllowTcpForwarding no # Turn off , if at all possible
X11Forwarding no # Turn off , if at all possible
PasswordAuthentication no # Specifies whether password authentication is allowed. The default is yes. Users must have another authentication method available .

Delete the rlogin and rsh binaries from the system, and replace them with a symlink to SSH:

# find /usr -name rsh
/usr/bin/rsh
# rm -f /usr/bin/rsh
# ln -s /usr/bin/ssh /usr/bin/rsh

SSH supports numerous, diverse methods and techniques for authentication that you can enable or disable. Within the /etc/ssh/sshd_config file, you make these configurations changes by entering the keyword listed for the authentication method followed by yes or no. Here are some of the common configuration changes:

# RSAAuthentication yes
# PubkeyAuthentication yes
# RhostsRSAAuthentication no
# HostbasedAuthentication no
# RhostsRSAAuthentication and HostbasedAuthentication
PasswordAuthentication yes
ChallengeResponseAuthentication no
# KerberosAuthentication no
GSSAPIAuthentication yes

The keywords AllowedAuthentications and RequiredAuthentications within the sshd_config file dictate which authentication methods and configurations are used with SSH Protocol 2 only, and the syntax for them to allow password and public key authentication is as follows:

# vi /etc/ssh/sshd_config
AllowedAuthentications publickey, password
RequiredAuthentications publickey, password

By enabling most, if not all of these things will help keep your SSL related login abilities safe from hackers, automated bots and just more secure in general.  With just a few minutes of work, you can sleep better knowing this part of your system is secured.


If you like this site or any of its content, please help promote it. Use the social media buttons below to help spread the word. Don't forget to post in the comments section.

  Print   Email