How to make OpenSSH Server more Securier
OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. The main advantage is its secure server authentication through the use of public key cryptography.
However, sometime, you still could hear some ssh security problem due to different reasons. Here are a few things you need to tweak in order to improve OpenSSH server security.
Default Config Files and SSH Port
- /etc/ssh/sshd_config – OpenSSH server configuration file.
- /etc/ssh/ssh_config – OpenSSH client configuration file.
- ~/.ssh/ – Users ssh configuration directory.
- ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the userâ€™s account
- /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
- /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
- SSH default port : TCP 22
Here are some ways you can do to secure your server/desktop
Disable OpenSSH Server
Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:
# chkconfig sshd off
# yum erase openssh-server
Or on RHEL7/CentOS7
# systemctl stop sshd
#systemctl disable sshd
Also, you may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:
# service iptables restart
# service ip6tables restart
Or on RHEL7/CentOS7
# systemctl restart iptables
Only Use SSH Protocol 2
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
Limit Users’ SSH Access
By default all systems user can login via SSH using their password or public key. To allow only known users to do so, you can try the option "AllowUsers" in sshd_config.
Only allow root, fibrevillage user to use the system via SSH, add the following to sshd_config:
AllowUsers root fibrevillage
Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:
DenyUsers test advok
Configure Idle Log Out Timeout Interval
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300 ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).
Disable .rhosts Files
Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
Disable Host-Based Authentication
To disable host-based authentication, update sshd_config with the following option:
Disable root Login via SSH
There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
Firewall SSH Port # 22
You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.
Netfilter (Iptables) Configuration
Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 220.127.116.11/29, enter:
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 18.104.22.168/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT
If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:
-A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT
Replace ipv6network::/ipv6mask with actual IPv6 ranges.
Change SSH Port and Limit IP Binding
By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 22.214.171.124 IPs and to port 300, add or correct the following line:
Port 300 ListenAddress 192.168.1.5 ListenAddress 126.96.36.199
A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).
Use Strong SSH Passwords and Passphrase
It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords.
Use Public Key Based Authentication
Use public/private key pair with password protection for the private key. See how to use RSA key based authentication. Never ever use passphrase free key (passphrase key less) login.
Chroot SSHD (Lock Down Users To Their Home Directories)
By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh.
Disable Empty Passwords
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
Use Log Analyzer
Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:
To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:
# Turn on privilege separation UsePrivilegeSeparation yes # Prevent the use of insecure home directory and key file permissions StrictModes yes # Turn on reverse name checking VerifyReverseMapping yes # Do you need port forwarding? AllowTcpForwarding no X11Forwarding no # Specifies whether password authentication is allowed. The default is yes. PasswordAuthentication no
Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t