SSH Security Checklist
All of the SSH Security Tips that are listed here are done by editing /etc/ssh/sshd_config as su:
Change the port different from default of port 22 to something (29011 in this example). Default scanners usually only scan ports up to 1024, so you will appear not be running SSH unless they specifically scan high ports.
Port 29011
Allow only certain networks or IP addresses to connect by editing /etc/hosts.deny and /etc/hosts.allow (TCP wrappers)
This is in /etc/hosts.deny
sshd: ALL
This is in /etc/hosts.allow, allowing 1.2.3.* and 1.2.4.5 only
sshd: 1.2.3 1.2.4.5
Everyone else besides the networks defined above will get:
ssh_exchange_identification: Connection closed by remote host
In addition to tcp wrappers, use iptables to allow only certain networks, from the shell:
# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.4.5 --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j DROP
Force SSH to use protocol 2 only. Protocol 2 is more secure and more immune to man in the middle attacks:
Protocol 2
Do not allow Root Login. These days this isn’t as important, but the idea is that a brute force attack would have to break into the user level, then into the root level. Most security guides recommend that you do not allow root login:
PermitRootLogin no
Allow only certain users to login. The idea is to limit the user to have no rights, and own no files, so if they get past this barricade, they can’t do as much damage. You would su from here.
AllowUsers matthew mark luke james
Or, you can allow all users and disallow only certain accounts
DenyUsers joethehacker spongebob
Create a no tresspassing sign. Your legal stance is much stronger if you tell them they are tresspassing (I know, stupid, but that’s the law – you have to TELL them they are breaking in ….)
# edit the issue.net, then
Banner /etc/issue.net
Use iptables to limit brute force attacks to 1 wrong login attempt per minute – but beware you don’t setup a Denial of Service vector:
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
Uninstall sshd if you do not want logins at all:
apt-get remove openssh-server
Configure auto log out after a certain period of time (10 minutes in this example)
ClientAliveInterval 600
ClientAliveCountMax 0
Use strong passwords. Example:
- 10 characters long
- Must contain at least 1 upper case character
- Must contain at least 1 number
- Must contain at least 1 lowercase character
- Must contain at least 1 symbol
- Must NOT be a dictionary word, even if Chang3d
- Pattern must not repeat (Aa1!Aa1!)
- Password should change monthly
- Password should not be written down
- Password should differ from at least last 5 passwords
Disable empty passwords. Either by willful negligence, or accidental laziness, people will choose not to have passwords sometimes. This is not great SSH security as you can imagine. Fix it:
PermitEmptyPasswords no
Use a script that stops brute force attacks automatically (2 options shown here):
- http://fail2ban.org
- apt-get install denyhosts