OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including username and password) over the wire in unencrypted form, and provides host authentication, to verify that you really are talking to the system that you think you are and that no one else can take over that session. Currently OpenSSH can be used with OpenBSD, NetBSD, FreeBSD, AIX, HP-UX, IRIX, Linux, NeXT, SCO, SNI/Reliant Unix, Solaris, Digital Unix/Tru64/OSF, Mac OS X, Cygwin.
Install OpenSSH
You will want your system can both receive and make connections via OpenSSH, so you will need to install server and client packages
For Ubuntu, Mint, or Debian based distributions
|
# apt-get install openssh openssh-server openssh-client
|
For Fedora, Centos, or Red Hat based distributions
|
# yum install openssh openssh-server openssh-clients
|
Config and Secure OpenSSH
Default openssh config files
/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.
Default openssh port
TCP 22
There are a few tweaks and changes before you open up your ssh server to connections from the outside world.
1. Disable OpenSSH server
You should disable and remove openssh on machines that you don’t need connections to, like workstation, laptop
For Ubuntu, Mint, or Debian based distributions
|
# apt-get remove openssh-server
|
For Fedora, Centos, or Red Hat based distributions
|
# chkconfig sshd off
<h1>yum erase openssh-server</h1>
|
You will need to update and restart your iptables if you have one to remove ssh exception rule.
|
# nano /etc/sysconfig/iptables
|
2. Only Use SSH Protocol 2
Make sure its in your openssh server config file
3. Limit access to ssh server
Only allow certain user/users to access your ssh server and deny user/users you don’t want to access to ssh server.
To allow user/users, add this to sshd_config
|
AllowUsers tom marry mike
|
To deny
Personally i highly suggest you deny root user on ssh server and ssh with normal unprivileged user, then you can become root after that.
To become root you can use su command
For Ubuntu, Mint, or Debian based distributions
For Fedora, Centos, or Red Hat based distributions
Config Idle Log Out Timeout Interval
You would not want to leave your ssh session unattended, having idle log out timeout is a good idea to do so. Here i set mine at 300 seconds or 5 minutes
|
ClientAliveInterval 300
ClientAliveCountMax 0
|
4. Disable .rhosts Files
Linux are file based Operating System. If attackers use a network analyzer to launch a buffer overflow attack and capture a user ID and password, attackers can see what the system give out permission to that specific user. That’s why to protect .rhosts file.
5. Disable Host-Based Authentication
HostbasedAuthentication no
6. Disable root Login via SSH
As I mentioned before, you dont want to login with your root account. Besind deny user root, you should also disallow it.
7. Having a Warning Banner
This is not really effective to against somebody want to break in your ssh server, but it’s cool to have one and sort of legal warning. We will place the warning notice in /etc/ssh/ssh_banner file
Create ssh Banner
|
# nano /etc/ssh/ssh_banner
|
Sample warning banner /etc/ssh_banner
|
************************************************
NOTICE TO USERS WARNING!
The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law. All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no expectation of privacy.
*************************************************
|
8. Change SSH server port
After deny and disallow root login at number 3. and 7., I belive changing ssh server port to a non-standard port is the second most important effective way to prevent break in ssh server. Ibelive (I might be wrong) anything between port 1024 to 65535 is safe to use.
9. Disable Empty Passwords
You don’t want anyone to login to your ssh server with an empty password
10. Use StrictModes
StrictModes let ssh check user’s permissions in their home directory and rhosts file before allow ssh login to make sure users don’t leave their directories and files write-able to others in the same host/system.
Under # Authentication:, uncomment StrictModes, LoginGraceTime, PermitRootLogin, MaxAuthTries, and MaxSessions
|
# Authentication:
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
MaxSessions 10
|