How To Secure SSH Servers on Linux
Pass your next Security Assessment / Penetration Test
This guide will show you step by step how to secure SSH servers on your network or hosted directly on the Internet. Securing your SSH servers will prevent against brute force attacks, and other security issues that are typically raised during a penetration test or worse, a breach report.
What is SSH ?
SSH is the standard way for Admin’s to connect to Linux servers securely over an encrypted tunnel. However a default install of SSH is far from perfect and can allow for an attacker to hack SSH and acquire a shell on a remote server, follow our tutorial on how to secure SSH Servers. This guide should work for all distros of Linux using OpenSSH Server, Ubuntu, Debian, CentOS, RHEL, Gentoo, Fedora etc…
Security Harden SSH Servers
Follow the instructions below to security harden SSH Servers on your network, you will secure SSH so tight not even Trinity could exploit you with her mad nmap skills :)
Use Strong SSH Passwords
It sounds obvious but make sure all the passwords on your system are secure, you are probably not aware of just how many automated scripts & bots are continuously brute forcing your SSH Server. If you are curious you can check the top 5 attacked SSH accounts with:
awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
If you want to see your top 5 SSH attackers:
awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5
Rules for choosing secure Linux system account passwords:
Minimum of 8 characters
Mix of upper and lower case letters
Mix of letters and numbers
Non alphanumeric characters (special characters such as ! “ £% ^)
Disable SSH root logins
To disable root logins over SSH open up your sshd_config file on CentOS / RHEL systems this is found at “/etc/ssh/sshd_config”, on Debian based systems (Ubuntu) this could vary. Make sure you have the following entry:
1 2 | |
Restart SSH:
1
| |
From now on if you require root access over SSH you will need to login as a normal user and type “su –” to get root.
Disable SSH protocol 1
To disable protocol 1 for SSH make sure your “/etc/ssh/sshd_config” has the following uncommented:
1 2 | |
Restart SSH (instructions above).
Change the SSH Port on the server
This step is more security by obscurity, changing SSH default port 22 to a port of your choice (normally high) will reduce the amount of bots trying to brute for your SSH server.
To change SSH server port add the following entry in your “/etc/ssh/sshd_config”:
1 2 | |
(Don’t use the port number listed above and don’t use 2222, everyone uses this port and it gets scanned almost as much as 22).
You will need to specify the new port you have chosen in Putty or on the command line when connecting, on Putty this is pretty obvious on Unix you would do so by:
1
| |
Allow specific Users on SSH
If it’s only you and a bunch of other admin’s accessing the server over SSH I would recommend the use of AllowUser in the ssh_config, this is a ACL for SSH allowing only the users written in the config file. The example below would allow keith & bart to access the server over SSH:
1
| |
Change SSH login grace time
This is the period of unauthenticated time the connection is left open, the time you have to login. By default it’s normally 2 minutes, which is far to long in my opinion… I change mine to 30 seconds.
1
| |
Limit the amount of unauthenticated SSH connections
When SSH servers are cracked attackers open up as many SSH connections to your server as possible, the more connections they can open the more simultaneous parallel crack attempts then can run.
Adding the following to your sshd_config file will allow 2 unauthenticated connections to your server at the same time and randomly and increasingly drop connection attempts between 2 and the maximum of 10. If you have a lot of valid SSH user authenticating on your servers at the same time this should be increased.
1 2 | |
Block SSH Attacks
When people attempt to brute force attack your server they well continuously try a number of username and password combinations until they gain access. You can stop brute force attacks by blocking repeated attempts to login from the same IP address. There are two ways to do this, install DenyHosts or use iptables, I would pick one method not both, if you have more time use iptables if you are not confident with iptables then use DenyHosts.
Block SSH attacks with iptables:
1 2 | |
Block SSH attacks with DenyHosts:
Install DenyHosts on CentOS:
First you need to install the EPEL repo one installed do the following:
1
| |
Install DenyHosts on Ubuntu or Debian:
1
| |
iptables rule for SSH: allow only specific IP addresses to connect
Only allow certain IP addresses to connect to your SSH server, e.g your office.
1
| |
Use Public Private Keys for SSH Authentication
This eliminates crack attempts on your SSH server as each user requires a key to connection. See our guide on SSH key based authentication.
After setting up your SSH keys edit your sshd_config file to never accept password based authentication again, preventing anyone ever guessing a users password again.
1
| |
If you followed this guide correctly you should have a much more secure SSH server , if you found this guide helpful please share it via Facebook Twitter Google Plus etc :)