Secure Shell for Linux has been one of the most attacked on servers, we find many cases where the bruteforce finally compromises the server for root access. One of the most common queries that come on to desk is how to harden out SSH - here are few tips that should help - I wont recommend enabling every bit of it, but will include the list which is most required and ones that are optional.
The configurations of SSH is available either on /usr/local/ssh/sshd_config or /etc/ssh/sshd_config - so that is where we start. So we need a connection on KVM or SSH on to the server and knowledge of popular editors like pico or vim to start with it.
1. Block SSH Version1:
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
2. SSH Port
From what I have seen, most of the bruteforce happens on to the port 22, considering the fact that most of the server owners doesn't care to change the SSH port. So this is the second most important thing to be done- change the SSH port to a number different from 22 - which is the default port id:
3. Protect SSH with Firewall
Apart from the iptables rules said above, it will be wise to install a bruteforce prevention firewall wrapper like CSF or similar where you can define the count of failures on to SSH and block the originating IP address. I am recommending CSF since its getting updates on a regular basis and has a simple configuration that can be used to carry out much complex operations.
4. Disable Root Login
Disabling root login is another good option which should protect the server even if your workstation is compromised with key loggers. The root password, even if it is correct, wont be accepted by the system which inturn will need a non-root user to login to the server first and then use the 'su -' command to gain root access. You can achieve this by updating the configuration entry:
5. Defining Idle Timeout for users:
Another important setting that shouldn't be ignored is having an idle timeout set for your logins so that the active sessions doesn't allow hackers to change settings. We can get this done by updating:
6. Ensure that the defaults are not modified:
7. Issue a notice on each login:
Issuing a well defined banner on each SSH login should be good as well, add in the guidelines and also define the penalty of breaching into the system - that should help at times:
This is usually a recommended option which allows each user to create a sign in key and if it matches with the key on the server, the access is granted in. We had skipped this option earlier as it becomes tough when you are not on the machine or laptop that you are used to working from and will be troublesome if you have to get to the system from a new machine.
You can refer : http://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/ for setting up the key authentication.
Another interesting addition will be : Using Google Authenticators So the settings you will need to update is to enable key based authentication are:
9. Disabling SSH open Server
So if it is just for SSH that you need the server running for and to avoid users from sending out or receiving files over SSH, you can disable SSH server entity which is enabled by default, you can do that by running the commands:
10. Use Log-level info
Read your logs using logwatch or logcheck. This should help you keep constant check on the SSH activity and modify the security rules based on incoming traffic. Make sure LogLevel is set to INFO or DEBUG in sshd_config:
The configurations of SSH is available either on /usr/local/ssh/sshd_config or /etc/ssh/sshd_config - so that is where we start. So we need a connection on KVM or SSH on to the server and knowledge of popular editors like pico or vim to start with it.
Most Important Changes
These are the list of configurations that you should never do away with, so start with the first:1. Block SSH Version1:
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
Protocol 22. SSH Port
From what I have seen, most of the bruteforce happens on to the port 22, considering the fact that most of the server owners doesn't care to change the SSH port. So this is the second most important thing to be done- change the SSH port to a number different from 22 - which is the default port id:
Port 1111pico /etc/sysconfig/iptables
(or find the locations of iptables by running /etc/init.d/iptables save)and add the following entries:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPTListenAddress 192.168.1.5
ListenAddress 202.54.1.53. Protect SSH with Firewall
Apart from the iptables rules said above, it will be wise to install a bruteforce prevention firewall wrapper like CSF or similar where you can define the count of failures on to SSH and block the originating IP address. I am recommending CSF since its getting updates on a regular basis and has a simple configuration that can be used to carry out much complex operations.
4. Disable Root Login
Disabling root login is another good option which should protect the server even if your workstation is compromised with key loggers. The root password, even if it is correct, wont be accepted by the system which inturn will need a non-root user to login to the server first and then use the 'su -' command to gain root access. You can achieve this by updating the configuration entry:
PermitRootLogin noAllowUsers root raj rahulAllowGroup sshusers5. Defining Idle Timeout for users:
Another important setting that shouldn't be ignored is having an idle timeout set for your logins so that the active sessions doesn't allow hackers to change settings. We can get this done by updating:
ClientAliveInterval 300
ClientAliveCountMax 0
HostbasedAuthentication no6. Ensure that the defaults are not modified:
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
UsePam yes7. Issue a notice on each login:
Issuing a well defined banner on each SSH login should be good as well, add in the guidelines and also define the penalty of breaching into the system - that should help at times:
Banner /etc/issue----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------Optional Settings for Added Security
8. Using Key based loginThis is usually a recommended option which allows each user to create a sign in key and if it matches with the key on the server, the access is granted in. We had skipped this option earlier as it becomes tough when you are not on the machine or laptop that you are used to working from and will be troublesome if you have to get to the system from a new machine.
You can refer : http://www.cyberciti.biz/faq/ssh-passwordless-login-with-keychain-for-scripts/ for setting up the key authentication.
Another interesting addition will be : Using Google Authenticators So the settings you will need to update is to enable key based authentication are:
PasswordAuthentication no
ServerKeyBits 2048
RSAAuthentication yes
PubkeyAuthentication yes9. Disabling SSH open Server
So if it is just for SSH that you need the server running for and to avoid users from sending out or receiving files over SSH, you can disable SSH server entity which is enabled by default, you can do that by running the commands:
chkconfig sshd off
yum erase openssh-server
service iptables restart
service ip6tables restart10. Use Log-level info
Read your logs using logwatch or logcheck. This should help you keep constant check on the SSH activity and modify the security rules based on incoming traffic. Make sure LogLevel is set to INFO or DEBUG in sshd_config:
LogLevel INFO# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no`which sshd` -tservice sshd restart
- Unknown Updated at: Monday, February 04, 2013
![Thor : The Dark World (2013) Movie Clips [HD]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2Cc0m-mAaiC54DakVBotbA8_Y7uKYQVDZNfYOP8jvEihUZG6zB0K4noorBT26bigfsGD15A8h3yKM2Dxu_yJcaEJAUotp3fzyMa6wBQoJNHRdXpLf_iv2PHml9JnhP9f0NnrIKYtGWidv/w72-h72-p-k-no-nu/MV5BMTQyNzAwOTUxOF5BMl5BanBnXkFtZTcwMTE0OTc5OQ@@._V1_SY317_CR4,0,214,317_.jpg)
