Categories
Debian

SSH Security Checklist

SSH Security is easy. Edit the /etc/ssh/sshd_config and review the following ssh security checklist:

SSH Security Checklist

All of the SSH Security Tips that are listed here are done by editing /etc/ssh/sshd_config as su:

Change the port different from default of port 22 to something (29011 in this example). Default scanners usually only scan ports up to 1024, so you will appear not be running SSH unless they specifically scan high ports.


Port 29011

Allow only certain networks or IP addresses to connect by editing /etc/hosts.deny and /etc/hosts.allow (TCP wrappers)
This is in /etc/hosts.deny


sshd: ALL

This is in /etc/hosts.allow, allowing 1.2.3.* and 1.2.4.5 only


sshd: 1.2.3 1.2.4.5

Everyone else besides the networks defined above will get:


ssh_exchange_identification: Connection closed by remote host

In addition to tcp wrappers, use iptables to allow only certain networks, from the shell:


# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.4.5 --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j DROP

Force SSH to use protocol 2 only. Protocol 2 is more secure and more immune to man in the middle attacks:


Protocol 2

Do not allow Root Login. These days this isn’t as important, but the idea is that a brute force attack would have to break into the user level, then into the root level. Most security guides recommend that you do not allow root login:


PermitRootLogin no

Allow only certain users to login. The idea is to limit the user to have no rights, and own no files, so if they get past this barricade, they can’t do as much damage. You would su from here.


AllowUsers matthew mark luke james

Or, you can allow all users and disallow only certain accounts


DenyUsers joethehacker spongebob

Create a no tresspassing sign. Your legal stance is much stronger if you tell them they are tresspassing (I know, stupid, but that’s the law – you have to TELL them they are breaking in ….)


# edit the issue.net, then
Banner /etc/issue.net

Use iptables to limit brute force attacks to 1 wrong login attempt per minute – but beware you don’t setup a Denial of Service vector:


# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

Uninstall sshd if you do not want logins at all:


apt-get remove openssh-server

Configure auto log out after a certain period of time (10 minutes in this example)


ClientAliveInterval 600
ClientAliveCountMax 0

Use strong passwords. Example:

  • 10 characters long
  • Must contain at least 1 upper case character
  • Must contain at least 1 number
  • Must contain at least 1 lowercase character
  • Must contain at least 1 symbol
  • Must NOT be a dictionary word, even if Chang3d
  • Pattern must not repeat (Aa1!Aa1!)
  • Password should change monthly
  • Password should not be written down
  • Password should differ from at least last 5 passwords

Disable empty passwords. Either by willful negligence, or accidental laziness, people will choose not to have passwords sometimes. This is not great SSH security as you can imagine. Fix it:


PermitEmptyPasswords no

Use a script that stops brute force attacks automatically (2 options shown here):

  • http://fail2ban.org
  • apt-get install denyhosts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.