SSH Hardening Techniques
SSH Hardening Techniques
These are the top practices to harden ssh. In this article I am going to list the best and most important open ssh server security practices.
SSH protocol is the best option when it comes to remote login, making backups, remote file transfer and so on. It is a must have on any commercial server. It comes bundled with the installation of a CentOS, Debian Linux, fedora linux, FreeBSD, Gentoo Linux, Ubuntu linux server.
1. Ssh is so powerful that can pose a real breach of the security.
If you don’t need it, remove its installation. If you are not sure whether sshd is installed on the server or not, use chkconfig utility. The chkconfig is a powerful utility. It can help you list all services or specify in which runlevel to start a selected service.
#chkconfig --list service_name
command will list service’s status (on or off) for each of the seven numbered runlevels
# chkconfig sshd off
command will switch off sshd in all seven runlevels
2. Use only SSH version 2-compatible servers and clients whenever possible
In most Linux distributions server suite comes with Version 2 enabled per default. As a system administrator you should make sure that this is the case on your server. Make sure that the following line exists in sshd_config file
Protocol 2
3. Limit maximum authentication attempts.
It could be recommendable to limit the number of authentication attempts.
MaxAuthTries 3
4. Automatically log out unattended ssh sessions
You can set an idle timeout to force log out after a period of inactivity. Open sshd_config file and comment out the following values:
ClientAliveInterval XXX
ClientAliveCountMax 3
where XXX is an idle timeout interval in seconds. After this interval has passed, the idle user will be logged out.
5. Public key authentication
Using public key authentication is probably one of the most important steps in hardening the ssh. Password authentication belongs to the past. Every server administrator should use public key instead of passwords, to set up key-based authentication.
Force users to use public key authentication by adding the following line in /etc/ssh/sshd_config file:
Disable PasswordAuthentication
6. Change SSH Port
This approach gives security through obscurity. Although this is not considered the best approach to hardening ssh, it can help a lot. Here is the line you can add to line in /etc/ssh/sshd_config
Port 333
The code above tells the server to listens for connections on the port #333 only.
You can also specify the address the sshd listens to:
ListenAddress 192.168.1.7
ListenAddress 192.168.1.14
If you change the port sshd to listen to another port, don’t forget to find the line that reads the port number to
7. Disable root login
It is best practice not to log in as the root user. Use a normal user account to initiate your connection instead, together with sudo. Direct root logins may result in bad accountability of the actions performed by this user account.