Linux Stuff && Coffee

How to Secure SSH Servers

| Comments

How To Secure SSH Servers on Linux

Pass your next Secuity Assessment / Penetration Test

This guide will show you step by step how to secure SSH servers on your network or hosted directly on the Internet. Securing your SSH servers will prevent against brute force attacks, and other security issues that are typically raised during network security audits and penetration testing, or worse, a breach report.

How To Secure SSH

What is SSH ?

SSH is the standard way for Admin’s to connect to Linux servers securely over an encrypted tunnel. However a default install of SSH is far from perfect and can allow for an attacker to hack SSH and acquire a shell on a remote server, follow our tutorial on how to secure SSH Servers. This guide should work for all distros of Linux using OpenSSH Server, Ubuntu, Debian, CentOS, RHEL, Gentoo, Fedora etc…

Security Harden SSH Servers

Follow the instructions below to security harden SSH Servers on your network, you will secure SSH so tight not even Trinity could exploit you with her mad nmap skills :)

Use Strong SSH Passwords

It sounds obvious but make sure all the passwords on your system are secure, you are probably not aware of just how many automated scripts & bots are continuously brute forcing your SSH Server. If you are curious you can check the top 5 attacked SSH accounts with:

awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5

If you want to see your top 5 SSH attackers:

awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5

Rules for choosing secure Linux system account passwords:

  • Minimum of 8 characters

  • Mix of upper and lower case letters

  • Mix of letters and numbers

  • Non alphanumeric characters (special characters such as ! “ £% ^)

Disable SSH root logins

To disable root logins over SSH open up your sshd_config file on CentOS / RHEL systems this is found at “/etc/ssh/sshd_config”, on Debian based systems (Ubuntu) this could vary. Make sure you have the following entry:

# Prevent root logins:
PermitRootLogin no

Restart SSH:

/etc/init.d/sshd restart

From now on if you require root access over SSH you will need to login as a normal user and type “su –” to get root.

Disable SSH protocol 1

To disable protocol 1 for SSH make sure your “/etc/ssh/sshd_config” has the following uncommented:

# Protocol 2,1
Protocol 2

Restart SSH (instructions above).

Change the SSH Port on the server

This step is more security by obscurity, changing SSH default port 22 to a port of your choice (normally high) will reduce the amount of bots trying to brute for your SSH server.

To change SSH server port add the following entry in your “/etc/ssh/sshd_config”:

# Run ssh on a non-standard port:
Port 2233

(Don’t use the port number listed above and don’t use 2222, everyone uses this port and it gets scanned almost as much as 22).

You will need to specify the new port you have chosen in Putty or on the command line when connecting, on Putty this is pretty obvious on Unix you would do so by:

ssh -p 2233 [email protected]

Allow specific Users on SSH

If it’s only you and a bunch of other admin’s accessing the server over SSH I would recommend the use of AllowUser in the ssh_config, this is a ACL for SSH allowing only the users written in the config file. The example below would allow keith & bart to access the server over SSH:

AllowUsers keith bart

Change SSH login grace time

This is the period of unauthenticated time the connection is left open, the time you have to login. By default it’s normally 2 minutes, which is far to long in my opinion… I change mine to 30 seconds.

LoginGraceTime 30

Limit the amount of unauthenticated SSH connections

When SSH servers are cracked attackers open up as many SSH connections to your server as possible, the more connections they can open the more simultaneous parallel crack attempts then can run.

Adding the following to your sshd_config file will allow 2 unauthenticated connections to your server at the same time and randomly and increasingly drop connection attempts between 2 and the maximum of 10. If you have a lot of valid SSH user authenticating on your servers at the same time this should be increased.

#MaxStartups 10
MaxStartups 2:50:10

Block SSH Attacks

When people attempt to brute force attack your server they well continuously try a number of username and password combinations until they gain access. You can stop brute force attacks by blocking repeated attempts to login from the same IP address. There are two ways to do this, install DenyHosts or use iptables, I would pick one method not both, if you have more time use iptables if you are not confident with iptables then use DenyHosts.

Block SSH attacks with iptables:

iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

Block SSH attacks with DenyHosts:

Install DenyHosts on CentOS:

First you need to install the EPEL repo one installed do the following:

yum install denyhosts

Install DenyHosts on Ubuntu or Debian:

apt-get install denyhosts

iptables rule for SSH: allow only specific IP addresses to connect

Only allow certain IP addresses to connect to your SSH server, e.g your office.

iptables -A INPUT -p tcp -s --dport 22 -j ACCEPT

Use Public Private Keys for SSH Authentication

This eliminates crack attempts on your SSH server as each user requires a key to connection. See our guide on SSH key based authentication.

After setting up your SSH keys edit your sshd_config file to never accept password based authentication again, preventing anyone ever guessing a users password again.

PasswordAuthentication no

If you followed this guide correctly you should have a much more secure SSH server , if you found this guide helpful please share it via Facebook Twitter Google Plus etc :)