HARDENING SSH CONFIGURATION


SSH Configuration

The “/etc/ssh/sshd_config” file is the system-wide configuration file for SSH
which allows you to set different options to improve the security of an SSH
server. The default configuration in the config file is very insecure, so you need
to edit it first and set proper options to improve the security.


To edit the “/etc/ssh/sshd_config” file, run


Change SSH listening port

By default, SSH listens on port 22. Attackers use port scanners to see whether an
SSH service is running or not. It is recommended to change the default port.
To change the default port to 2200, change:


Only use protocol 2

Version 1 of the protocol contains security vulnerabilities. Protocol 2 is the
default entry on Ubuntu


Protocol 2


Limit users access

It is necessary to allow only specific users to log in to SSH. It can improve your
security. By default, this option is not available in the SSH configuration file.
To allow “user1” and “user2,” add the following line:


AllowUsers user1 user2

Configure SSH for password-less login


There are two different methods of logging into an SSH server: one is
password-based authentication and the other is key-based authentication.
Password authentication is a very basic method which is easy to use and crack.
Using password authentication is very insecure, especially if your user uses a
weak password. On the other hand, SSH keys provide an easy and secure way
of logging into a remote server, and this method is recommend for all users.

On your client machine, generate SSH keys with the following command:

cd ~/.ssh
ssh-keygen -t rsa

Simply press the Enter key at every prompt. This produces two files: id_rsa.pub
(public key) and id_rsa (private key).

On your server, create the following folder (if it doesn’t exist):

mkdir -p ~/.ssh/

Back to your client machine, copy the “id_rsa.pub” file to your server using the
following command

scp -P "yourport" ~/.ssh/id_rsa.pub username@serverip:~/.ssh

Change “yourport” to the port number that your SSH server is using (the default
is 22) and the “serverip” to the server’s IP address.

On your server machine, change the filename and setup permissions.

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
rm .ssh/id_rsa.pub

To test if the key-based authentication method works, try connecting to your
SSH server from the client machine:

ssh -P "yourport" username@serverip

Disable root login

It is not necessary to log in as root via ssh over a network. Normal users can also
use su or sudo to gain root level access. Most attackers will try to use root user to
log in. This is a big security risk, so it is recommended to deny the root login.

To disable root login, change the line

PermitRootLogin without-password
to
PermitRootLogin no

Restrict the interface to log in

#ListenAddress ::
to
ListenAddress 192.168.1.20

Disable .rhosts files

The .rhosts files specify which users can access the r-commands (rsh, rcp,
rlogin, etc.) on the local machine without a password. By default an .rhosts file
is disabled; if not, then change the lines as shown below.

IgnoreRhosts yes
RhostsAuthentication no
RSAAuthentication yes

Disable host-based authentication

SSH’s host-based authentication is more secure than .rhosts authentication.
However, it is not recommended that hosts trust one another. By default, this
option is disabled.

If not, then change the line shown below.

HostbasedAuthentication no

Set a login grace timeout

The “LoginGraceTime” specifies how long after a connection request the server
will wait before disconnecting. It is recommended to reduce it to 60 seconds.

For this, change the line

LoginGraceTime 120
to
LoginGraceTime 60

Set maximum startup connections

Setting up a proper maximum number of concurrent connections to the SSH
daemon can be helpful against a brute-force attack.

For this, change the line

#MaxStartups 10:30:60
to
MaxStartups 2

Disable forwarding

The port forwarding technique is used by attackers to tunnel network
connections through an SSH session to log into systems. It is recommend to
disable this option.

For this, change the line

X11Forwarding yes
to
X11Forwarding no

Log more information

By default, SSH logs everything. If you want to log more information like failed
login attempts. you can change the value of this to “VERBOSE.”

For this, change the line

LogLevel INFO
to
LogLevel VERBOSE

Disable empty passwords

It is necessary to deny users with empty passwords on your server. By
default PermitEmptyPasswords is disabled in Ubuntu. If not, then change the

line shown below.

PermitEmptyPasswords no

Set idle timeout interval

By default, this options is not available in the SSH default configuration file. It
is recommended to set a proper idle timeout to avoid an unattended ssh session.

For this, add the following lines

ClientAliveInterval 300
ClientAliveCountMax 0

Strict mode

This will prevent the use of insecure home directory and key file permissions.
By default, this option is enabled. If not, then change the following line.

StrictModes yes

Now save and exit the /etc/ssh/sshd_config file and restart the SSH server.

sudo service ssh restart

Secure SSH using TCP wrappers

A TCP wrapper provides host-based access control to network services used to
filter network access to the Internet. Edit your “/etc/hosts.allow” file to allow
SSH only from 192.168.1.2 and 172.16.23.12.

sudo nano /etc/hosts.allow

Add the following line:

sshd : 192.168.1.2 172.16.23.12

 

Secure SSH using iptables

 

By default, an SSH server must only accept connections from your LAN or
other remote sites. It is recommended to allow only specific IP addresses to
access SSH and block access to SSH to unauthorized IP addresses.

 

To allow SSH connections only from 192.168.1.2 run the following command :

sudo iptables -A INPUT -p tcp -m state –state NEW –source 192.168.1.2 –dport
2200 -j ACCEPT

Disable SSH connection from all other hosts by running the following
command
:

sudo iptables -A INPUT -p tcp –dport 2200 -j DROP

Now save your new rules using the following command:

sudo iptables-save > /etc/iptables/rules.v4