SSH Configuration
The “/etc/ssh/sshd_config” file is the system-wide configuration file for SSH
which allows you to set different options to improve the security of an SSH
server. The default configuration in the config file is very insecure, so you need
to edit it first and set proper options to improve the security.
To edit the “/etc/ssh/sshd_config” file, run
Change SSH listening port
By default, SSH listens on port 22. Attackers use port scanners to see whether an
SSH service is running or not. It is recommended to change the default port.
To change the default port to 2200, change:
Only use protocol 2
Version 1 of the protocol contains security vulnerabilities. Protocol 2 is the
default entry on Ubuntu
Protocol 2
Limit users access
It is necessary to allow only specific users to log in to SSH. It can improve your
security. By default, this option is not available in the SSH configuration file.
To allow “user1” and “user2,” add the following line:
AllowUsers user1 user2
Configure SSH for password-less login
There are two different methods of logging into an SSH server: one is
password-based authentication and the other is key-based authentication.
Password authentication is a very basic method which is easy to use and crack.
Using password authentication is very insecure, especially if your user uses a
weak password. On the other hand, SSH keys provide an easy and secure way
of logging into a remote server, and this method is recommend for all users.
On your client machine, generate SSH keys with the following command:
cd ~/.ssh
ssh-keygen -t rsa
Simply press the Enter key at every prompt. This produces two files: id_rsa.pub
(public key) and id_rsa (private key).
On your server, create the following folder (if it doesn’t exist):
mkdir -p ~/.ssh/
Back to your client machine, copy the “id_rsa.pub” file to your server using the
following command
scp -P "yourport" ~/.ssh/id_rsa.pub username@serverip:~/.ssh
Change “yourport” to the port number that your SSH server is using (the default
is 22) and the “serverip” to the server’s IP address.
On your server machine, change the filename and setup permissions.
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
rm .ssh/id_rsa.pub
To test if the key-based authentication method works, try connecting to your
SSH server from the client machine:
ssh -P "yourport" username@serverip
Disable root login
It is not necessary to log in as root via ssh over a network. Normal users can also
use su or sudo to gain root level access. Most attackers will try to use root user to
log in. This is a big security risk, so it is recommended to deny the root login.
To disable root login, change the line
PermitRootLogin without-password
to
PermitRootLogin no
Restrict the interface to log in
#ListenAddress ::
to
ListenAddress 192.168.1.20
Disable .rhosts files
The .rhosts files specify which users can access the r-commands (rsh, rcp,
rlogin, etc.) on the local machine without a password. By default an .rhosts file
is disabled; if not, then change the lines as shown below.
IgnoreRhosts yes
RhostsAuthentication no
RSAAuthentication yes
Disable host-based authentication
SSH’s host-based authentication is more secure than .rhosts authentication.
However, it is not recommended that hosts trust one another. By default, this
option is disabled.
If not, then change the line shown below.
HostbasedAuthentication no
Set a login grace timeout
The “LoginGraceTime” specifies how long after a connection request the server
will wait before disconnecting. It is recommended to reduce it to 60 seconds.
For this, change the line
LoginGraceTime 120
to
LoginGraceTime 60
Set maximum startup connections
Setting up a proper maximum number of concurrent connections to the SSH
daemon can be helpful against a brute-force attack.
For this, change the line
#MaxStartups 10:30:60
to
MaxStartups 2
Disable forwarding
The port forwarding technique is used by attackers to tunnel network
connections through an SSH session to log into systems. It is recommend to
disable this option.
For this, change the line
X11Forwarding yes
to
X11Forwarding no
Log more information
By default, SSH logs everything. If you want to log more information like failed
login attempts. you can change the value of this to “VERBOSE.”
For this, change the line
LogLevel INFO
to
LogLevel VERBOSE
Disable empty passwords
It is necessary to deny users with empty passwords on your server. By
default PermitEmptyPasswords is disabled in Ubuntu. If not, then change the
line shown below.
PermitEmptyPasswords no
Set idle timeout interval
By default, this options is not available in the SSH default configuration file. It
is recommended to set a proper idle timeout to avoid an unattended ssh session.
For this, add the following lines
ClientAliveInterval 300
ClientAliveCountMax 0
Strict mode
This will prevent the use of insecure home directory and key file permissions.
By default, this option is enabled. If not, then change the following line.
StrictModes yes
Now save and exit the /etc/ssh/sshd_config file and restart the SSH server.
sudo service ssh restart
Secure SSH using TCP wrappers
A TCP wrapper provides host-based access control to network services used to
filter network access to the Internet. Edit your “/etc/hosts.allow” file to allow
SSH only from 192.168.1.2 and 172.16.23.12.
sudo nano /etc/hosts.allow
Add the following line:
sshd : 192.168.1.2 172.16.23.12
Secure SSH using iptables
By default, an SSH server must only accept connections from your LAN or
other remote sites. It is recommended to allow only specific IP addresses to
access SSH and block access to SSH to unauthorized IP addresses.
To allow SSH connections only from 192.168.1.2 run the following command :
sudo iptables -A INPUT -p tcp -m state –state NEW –source 192.168.1.2 –dport
2200 -j ACCEPT
Disable SSH connection from all other hosts by running the following
command:
sudo iptables -A INPUT -p tcp –dport 2200 -j DROP
Now save your new rules using the following command:
sudo iptables-save > /etc/iptables/rules.v4