Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> How to secure SSH
redman
 Posted: May 9 2011, 11:04 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1410
Member No.: 2
Joined: 8-April 11









Securing SSH (or OpenSSH) is important since it provides the key to remote managament of your webserver, workstation or other Linux computer. Since OpenSSH has become the standard in remote access, it is also the first place where burglars will try to break in. By default an SSH configuration is good but not perfect. With the following six steps you can harden the security.

Step 1: Use strong usernames
This sounds silly, but isn't. You do not want to know how many admins use simple usernames and passwords. If you want to amaze yourself how simple they think, check out this page. So, what should you use? Well, think as a burglar first. They will randomly scan the internet for systems that have port 22 open (the default portnumber user by SSH, see also step 3. And when they have a hit (an IP address where they detect port 22), they will try to force their way in by pounding on the door with all frequently used usernames and passwords. Checking out your logfiles will give you some idea.

So, what is a good username to use on your server? Well, lets look at usernames not to use. Do not use usernames that are obvious. Not: root, admin, administrator, r00t, etc. But also do not use names from famous people, movies, etc. Also bad: britney, osama, obama, etc. The best username is one that is creative. Use something from your native language (unless it is English). Or something that isn't IT related. You can make it more difficult by mixing lower case letters and CAPITAL letters: like "DonaldDuck" for example.

Step 2: Use strong passwords
Just like strong usernames, the passwords should be even stronger. It goes without saying that passwords shouldn't contain bits and pieces that can be related to you. So names from your kids, husband/wife, pets should be avoided, obviously. Neither is any date related to you. A list of bad passwords can be found here.

Again, be creative. You could use:
- minimal 8 characters (the bigger the better)
- mix lower case and capital case letters (DuCkSaUcE instead of ducksauce)
- mix letters, numbers and special characters (such as #, %, !, etc.)
- replace letters with something special (for example, replace "a" by "@")

Step 3: Change the default firewall port used by SSH
By default, SSH uses port 22 as door to the outside world. And that is exactly the reason you should change it 'cause burglars know it too. Take a look at this page for a free port. Anything above 1024 is good and won't require you to disable SElinux. Of course do not use 222 and 2222 as they are too obvious. Be creative (did I mention that before?).

Changing this is simple. Use your favorite editor and as root open the file /etc/ssh/sshd_config and locate/add this info:
CODE
# Run ssh on a non-standard port:
Port 22

Change 22 to anything you like.
Restart the sshd service:
CODE
service sshd restart


Important: before you change this, you need to configure your firewall first!
Allow the new port to be open otherwise you will not be able to login.
Afterwards you need to close port 22 to fool burglars.

Step 4: Limit the number of users to login
Another way of securing your system is to limit the number of users that are allowed to use SSH. The reason for limiting is simple, the more people have a password, the bigger the chance one of them could be compromised. Limiting the users is, again, a simple thing to do. Use your favorite editor and as root open the file /etc/ssh/sshd_config and add this info at the end of the file:
CODE
AllowUsers george troy

Restart the sshd service and only George and Troy can login.

Step 5: Disable Root login
I do not think the reasons why root shouldn't be able to login need to be explained.
Disabling is easy. As root open the file /etc/ssh/sshd_config and locate/add this info:
CODE
# Prevent root logins:
PermitRootLogin yes

Change this to no and restart the sshd service.

Step 6: Disable SSH protocol 1
From the past there are two SSH protocols in use, 1 and 2.
By default, especially with newer distros, only protocol 2 is in use.
Protocol 1 is an older one and less secured. Make sure it is disabled.
Open the file /etc/ssh/sshd_config and check if the following is set:
CODE
# Protocol 2,1
Protocol 2

If you had to change this restart the sshd service.


Remark: you might have noticed that I used the word "burglar" instead of "hacker" (as most news agencies do). This is simply because a hacker is something else than a script-kiddie who tries to force his way into someones computer. If you want to know the difference, read here.


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
Cross
 Posted: May 12 2011, 01:31 AM
Quote Post


SLF Newbie


Group: Members
Posts: 12
Member No.: 147
Joined: 10-May 11









Thanks for posting this... I have been concerned a bit about the security of my server I have running at home.
PMEmail Poster
^
adebened
 Posted: May 12 2011, 05:46 AM
Quote Post


SLF Member
***

Group: Members
Posts: 80
Member No.: 21
Joined: 11-April 11









QUOTE (redman @ May 9 2011, 11:04 AM)
... With the following six steps you can harden the security...


This is a useful post. Thanks. Also of interest along this line may be a program like fail2ban or denyhosts. These are available in the various repos (rpmforge, epel).
PM
^
AndrewSerk
 Posted: May 12 2011, 05:32 PM
Quote Post


SLF Moderator
*****

Group: Moderators
Posts: 480
Member No.: 54
Joined: 14-April 11









I would like to add the idea of keys only, no passwords, for any web facing box running sshd.
PM
^
wearetheborg
 Posted: May 12 2011, 06:43 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 261
Member No.: 18
Joined: 11-April 11









Another thing which can be done is to limit the ip addresses from which people can ssh into your computer. If there are only a few places from where you ssh into your computer, this is a nice feature. I've forgotten how to do this, but it is pretty straightforward.


--------------------
PM
^
smithgcovert
 Posted: May 12 2011, 07:47 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 18
Member No.: 148
Joined: 10-May 11










An additional tip:

If you are running your SSH with user IDs and passwords on the default SSH port (some people need to) -- then DenyHosts is a good option.

It monitors login attempts. More than a few (configurable) login attempts from the same IP address, and it will add that IP to a black list.

It makes it much tougher to run any kind of automated attack / password cracking attempts, as they will have a very limited number of attempts to try to get in.

Cheers,
Greg
PM
^
avamk
 Posted: May 12 2011, 07:52 PM
Quote Post


SLF Junior
**

Group: Members
Posts: 49
Member No.: 127
Joined: 6-May 11









QUOTE (smithgcovert @ May 12 2011, 02:47 PM)
It monitors login attempts.  More than a few (configurable) login attempts from the same IP address, and it will add that IP to a black list.

Suppose I configure it to black list an IP after 5 attempts. Does that mean if I accidentally enter the wrong password 4 times, then successfully login, in the future I will only have once chance left before I am blacklisted?

OR, does the counter reset after a successful login?
PM
^
AndrewSerk
 Posted: May 12 2011, 07:59 PM
Quote Post


SLF Moderator
*****

Group: Moderators
Posts: 480
Member No.: 54
Joined: 14-April 11









QUOTE (avamk @ May 12 2011, 02:52 PM)
QUOTE (smithgcovert @ May 12 2011, 02:47 PM)
It monitors login attempts.  More than a few (configurable) login attempts from the same IP address, and it will add that IP to a black list.

Suppose I configure it to black list an IP after 5 attempts. Does that mean if I accidentally enter the wrong password 4 times, then successfully login, in the future I will only have once chance left before I am blacklisted?

OR, does the counter reset after a successful login?


There is a setting in the denyhosts config for: if to reset failed login attempts after successful login. I have locked myself out before by using the wrong key for the wrong server 3 times in a row. sad.gif
PM
^
savoyard
 Posted: Aug 2 2011, 12:03 AM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 579
Joined: 1-August 11









I am not quite sure how you do it, but a "FROM" clause can be added to an SSH key-pair, so that the key will only be valid when used from within a specific domain (or IP address range).

Useful if you have a laptop vulnerable to being stolen...

PM
^
shelley
 Posted: Aug 2 2011, 03:35 AM
Quote Post


SLF Rookie
*

Group: Members
Posts: 17
Member No.: 562
Joined: 31-July 11









If you use SSH in your LAN and wish to allow access only to machines in your LAN..here is an iptable rule

CODE

iptables -A INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT


--------------------
PM
^
feedmebits
 Posted: Nov 1 2011, 01:24 PM
Quote Post


SLF Member
***

Group: Members
Posts: 85
Member No.: 953
Joined: 20-October 11









I don't really know anything about firewalls/iptables. If I change the default ssh port how do I close port 22 and change it to accept the new port in the firewall. Thinking of also changing my server to SL6.1, but not till I have this figured out. Cuz don't really feel safe with with 22 as my default port.


--------------------
user posted image
PM
^
Bluejay
 Posted: Nov 1 2011, 03:59 PM
Quote Post


SLF Member
***

Group: Members
Posts: 57
Member No.: 42
Joined: 13-April 11









QUOTE (feedmebits @ Nov 1 2011, 08:24 AM)
I don't really know anything about firewalls/iptables. If I change the default ssh port how do I close port 22 and change it to accept the new port in the firewall. Thinking of also changing my server to SL6.1, but not till I have this figured out. Cuz don't really feel safe with with 22 as my default port.

Edit /etc/sysconfig/iptables and locate the line that looks like:
CODE
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Change the 22 to your desired port.
PM
^
feedmebits
 Posted: Nov 1 2011, 07:30 PM
Quote Post


SLF Member
***

Group: Members
Posts: 85
Member No.: 953
Joined: 20-October 11









QUOTE (Bluejay @ Nov 1 2011, 04:59 PM)
QUOTE (feedmebits @ Nov 1 2011, 08:24 AM)
I don't really know anything about firewalls/iptables. If I change the default ssh port how do I close port 22 and change it to accept the new port in the firewall. Thinking of also changing my server to SL6.1, but not till I have this figured out. Cuz don't really feel safe with with 22 as my default port.

Edit /etc/sysconfig/iptables and locate the line that looks like:
CODE
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Change the 22 to your desired port.


Thanks. I tried it, restarted sshd still get error: no route to host

Using this format to connect to the port

ssh -p 1234 username@ip

I also tried configuring the firewall using system-config-firewall-tui with a custom port for ssh

****************

lol got it to work now using system-config-firewall-tui. just missed one config http://dl.dropbox.com/u/2835777/BangHead1.gif

thx for the help


--------------------
user posted image
PM
^
kisss
 Posted: May 23 2012, 04:47 PM
Quote Post


SLF Junior
**

Group: Members
Posts: 29
Member No.: 1552
Joined: 20-May 12









QUOTE (feedmebits @ Nov 1 2011, 11:30 AM)
QUOTE (Bluejay @ Nov 1 2011, 04:59 PM)
QUOTE (feedmebits @ Nov 1 2011, 08:24 AM)
I don't really know anything about firewalls/iptables. If I change the default ssh port how do I close port 22 and change it to accept the new port in the firewall. Thinking of also changing my server to SL6.1, but not till I have this figured out. Cuz don't really feel safe with with 22 as my default port.

Edit /etc/sysconfig/iptables and locate the line that looks like:
CODE
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Change the 22 to your desired port.


Thanks. I tried it, restarted sshd still get error: no route to host

Using this format to connect to the port

ssh -p 1234 username@ip

I also tried configuring the firewall using system-config-firewall-tui with a custom port for ssh

****************

lol got it to work now using system-config-firewall-tui. just missed one config http://dl.dropbox.com/u/2835777/BangHead1.gif

thx for the help


sure wish there was a youtube video showing how to do this , cuz me is confused, i just installed this 3 days ago or 4 days ago and i never touched a firewall, i know how to bring it up and look at it tho, mine is set to 22 by default.


--------------------
Coffee is my god,
PM
^
ncdmr
 Posted: Dec 21 2012, 09:16 AM
Quote Post


SLF Newbie


Group: Members
Posts: 1
Member No.: 2152
Joined: 21-December 12









Interesting post, I try to be security-aware as possible, never considered change the roots username though...
Another option to (further) secure SSH, is implementing 2step (or multiple) authentication methods (whether proprietary or freely available) in pam.

Examples are Google authenticator and Yubico (yubikey).

QUOTE (Google Authenticator)
PAM Module
The PAM module can add a two-factor authentication step to any PAM-enabled application. It supports:
•Per-user secret and status file stored in user's home directory
•Support for 30-second TOTP codes
•Support for emergency scratch codes
•Protection against replay attacks
•Key provisioning via display of QR code
•Manual key entry of RFC 3548 base32 key strings


Admittedly, there are some pros and cons with these methods, but I thought they'd be worth mentioning.
PM
^
redman
 Posted: Dec 21 2012, 11:49 AM
Quote Post


SLF Admin
********

Group: Admins
Posts: 1410
Member No.: 2
Joined: 8-April 11









First of all, welcome!

QUOTE (ncdmr @ Dec 21 2012, 11:16 AM)
Interesting post, I try to be security-aware as possible, never considered change the roots username though...

Sometimes we tend to overlook simple things.

QUOTE (ncdmr @ Dec 21 2012, 11:16 AM)
Admittedly, there are some pros and cons with these methods, but I thought they'd be worth mentioning.

Every choice has pros and cons.
Which one is better? Don't know, but it is always better than doing nothing wink.gif


--------------------
What is SL? - Forum Rules - Info on 3rd Party Repos

Desktop: ASUS P5QPL-AM, Intel Dual-Core E6500, 4GB DDR2, ASUS GeForce GT 430 1GB, SL6.6 x86_64
Build server: HP Proliant ML350 G5, 1x Intel Xeon Quad-Core E5410, 9GB ECC DDR2 FB-DIMM, ASUS GeForce GT 730 1GB, SL6.6 x86_64
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll