A couple of ways you can find to access a shell (command line) remotely on most Linux/Unix systems. One of the older ways is to use the telnet program. Accessing a shell through telnet poses security threats as the messages passing between client and server is in plain text ! So anyone who can “sniff” the connection in-between can see your username, password and many more. For these reasons you need a more sophisticated program than telnet to connect to a remote host.
SSH, which is an acronym for Secure SHell, was designed and created to provide the best security when accessing another computer remotely. Not only does it encrypt the session, it also provides better authentication facilities, as well as features like secure file transfer, X session forwarding, port forwarding and more so that you can increase the security of other protocols. Allowing remote login through SSH is good for administrative purposes, but can pose a threat to your server’s security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server. In this article we shall see how to secure SSH.
There are two config files “ssh_config” and “sshd_config” under /etc/ssh/ directory. ssh_config file contains configuration pertaining to outbound SSH connections. where as sshd_config file contains configuration parameters which controls inbound SSH connections to the server itself. ~/.ssh/ is users SSH configuration directory.
1. How to set Strong Usernames/Passwords
SSH server running and exposed to the outside world would be the prime target of brute force attacks ! Typically a hacker will scan for port 22 to find machines with ssh running, and then attempt a brute-force attack against it. With strong passwords in place, you can deny hackers before they succeed. Hopefully you already use strong passwords, but if you are not then try to choose passwords that contains:
- Minimum of 8 characters
- Mix of upper and lower case letters
- Mix of letters and numbers
- Non alphanumeric characters (e.g. special characters such as ! ” £ $ % ^ etc)
If your users still chooses weak passwords, then create usernames which would be difficult to guess by hackers ! This makes hackers tough time guessing usernames without which they can’t brute force the password (Make sure users don’t leak usernames). Avoid common usernames such as admin, henry, bob, etc.,
2. How to disallow Remote Login with empty passwords
This feature you need to explicitly tell SSH server to disallow remote login for accounts with empty passwords. Using your favorite editor, open /etc/ssh/sshd_config file and search for the below lines :
#PermitEmptyPasswords no
Remove the # symbol and change the no to yes.
PermitEmptyPasswords yes
After modification do not forget to restart sshd as shown below :
Caution: Follow tip #12 to ensure sshd_config file is error free
/etc/init.d/sshd restart
3. How to disable remote login for root user on Linux machine
You can see our previous article – How to disable remote login for root user on Linux machine
4. How to allow only specific users to login via SSH
You can see our previous article – how to allow or deny specific user accounts to do remote login to Linux server.
5. How to change default SSH Listening Port
By default SSH server listens for connections on port 22. Attackers use port scanner software such as nmap to scans for an open port. It is advised to change the SSH port to a number higher than 1024 as most of the port scanners do not scan higher ports.
Using your favorite editor, open /etc/ssh/sshd_config file and look for the line that says:
Port 22
Change the port number something like :
Port 2222
after modification do not forget to restart sshd as shown below :
Caution: Follow tip #12 to ensure sshd_config file is error free
/etc/init.d/sshd restart
Once the SSH server port number is changed, you can remotely login by specifying port number as shown below :
ssh -p 2222 useranme@servername
6. Allow only SSH protocol 2
SSH server supports two protocols ie., 1 and 2. The older protocol 1 is subject to security issues including man-in-the-middle and security vulnerabilities. SSH protocol 2 is more secured when compared to protocol 1. SSH server on latest OS comes with Protocol 2 enabled. In case if it is referring multiple protocols as shown below then change to enable only protocol 2 as shown below :
Using your favorite editor, open /etc/ssh/sshd_config file and look for the line that says:
Protocol 2,1
Change the line so it says only protocol 2 !
Protocol 2
After modification do not forget to restart sshd as shown below :
Caution: Follow tip #12 to ensure sshd_config file is error free
/etc/init.d/sshd restart
7. How to restrict Remote Login to only specific users from specific IP Address ?
If you are sure that, your SSH server would be used by users from very specific hosts For ex: SSH server accessed only by users from an organization LAN, then its better to allow users to login from a specific host. To do this follow the below procedure :
Using your favorite editor, open /etc/ssh/sshd_config file and add below line :
AllowUsers openra@192.168.10.2
You can also block a range of IP’s as below :
AllowUsers openra@192.168.10.*
AllowUsers openra@192.168.*.*
After modification do not forget to restart sshd as shown below :
Caution: Follow tip #12 to ensure sshd_config file is error free
/etc/init.d/sshd restart
8. How to stop automated bot based SSH attacks ?
You can see our previous article – How to stop automated bot based SSH attacks ?
9. How to Hash Known Hosts Files
Refer our previous article : How to Hash Known Hosts Files of ~/.ssh/ directory
10. How to configure Idle Log Out Timeout Interval for SSH
Users often do remote login and forget to logout ! An Idle session could lead to security risk. Administrators need to set an Idle timeout interval to logout those idle sessions. To set Timeout interval for idle logout follow below guidelines :
Using your favorite editor, open /etc/ssh/sshd_config file and search for the below lines :
#ClientAliveInterval 0
Remove the # symbol and change the ClientAliveInterval to 300 (The timeout interval is in seconds ie., 300 sec = 15 mins). After this interval has passed, the idle user will be automatically logged out.
ClientAliveInterval 300
After modification do not forget to restart sshd as shown below :
Caution: Follow tip #12 to ensure sshd_config file is error free
/etc/init.d/sshd restart
11. How to configure Log Analyzer for SSH
Logging user activity will always provide the administrator that extra information of users activity on the server. Further to tools like LogWatch can make your life simple to read all the logs for a given period of time and make a report in user friendly readable format.
Using your favorite editor, open /etc/ssh/sshd_config file and search for the below lines :
#LogLevel INFO
Remove the # symbol and restart sshd service as shown below :
Caution: Follow tip #12 to ensure sshd_config file is error free
/etc/init.d/sshd restart
12. Verify SSH configuration before restarting ‘sshd’ daemon
As you are making changes to sshd_config, make sure you didn’t leave any errors. Run the below command to check if sshd_config contains any errors before restarting the SSH server.
# /usr/sbin/sshd -t
now, restart the service as below:
# /etc/init.d/sshd restart
(or)
# service sshd restart
I followed this guide and implemented points 2,5, and 12. Now I can’t connect with SSH.
Check if any firewall is running on the machine and if so, you need to open the port which you modified on point 5 to connect from outside.