Securing SSH

Tags: ssh

Categories: linux

This is some tips for securing SSH Server on linux host. Config file is usually located on path /etc/sshd/sshd_config.

  1. Disable empty passwords
    PermitEmptyPasswords no
    
  2. Change default port
    Default port is 22/tcp and most of the attack scripts are written for that port only. Changing port may reduce the number of attack.
    Port 2345
    
  3. Disable root login
    PermitRootLogin no
    
  4. Disable ssh protocol 1
    Protocol 2
    
  5. Configure idle timeut interval
    The idle timeout interval is the amount of time an SSH connection can remain active without any activity.
    ClientAliveInterval 300 # Keep 5 minute timeout interval
    

    After this interval, the SSH server will send an alive message to the client. If it doesn’t get a response, the connection will be closed and the end user will be logged out.
    You may also control how many times it sends the alive message before disconnecting:

    ClientAliveCountMax 2
    
  6. Allow SSH access to selected users only
    Allow SSH access to a selected few users and thus restricting for all the other users.
    AllowUsers User1 User2
    

    You may also add selected users to a new group and allow only this group to access SSH.

    AllowGroups ssh_group
    

    You may also use the DenyUsers and DenyGroups to deny SSH access to certain users and groups.

  7. Disable X11 forwarding
    The X11 or the X display server is the basic framework for a graphical environment. The X11 forwarding allows you to use a GUI application via SSH.
    X11Forwarding no
    
  8. Mitigate brute force attacks automatically
    You can use a security tool like Fail2Ban.
    Fail2Ban checks the failed login attempts from different IP addresses. If these bad attempts cross a threshold within a set time interval, it bans the IP from accessing SSH for a certain time period.
  9. Disable password based SSH login
    This is only key-based SSH login.
    In this approach, you add the public key of the remote client systems to the known keys list on the SSH server. This way, those client machines can access SSH without entering the user account password.
    PasswordAuthentication no
    

    Need to restart sshd service.
    When you have this setup, you can disable password based SSH login. Now, only the clients machines that have the specified SSH keys can access the server via SSH.
    Before you go for this approach, make sure that you have added your own public key to the server and it works. Otherwise, you’ll lock yourself out and may lose access to the remote server.

  10. Two-factor authentication with SSH
    To take SSH security to the next level, you may also enable two-factor authentication. In this approach, you receive a one-time password on your mobile phone, email or through a third-party aunthentication app.
    More details at https://www.linode.com/docs/security/authentication/two-factor-authentication/use-one-time-passwords-for-two-factor-authentication-with-ssh-on-ubuntu-16-04-and-debian-8/