Secure Shell (SSH) is a means of sending secure data between two computers over an otherwise insecure network by creating a secure channel using a cryptographic network protocol.
In this tutorial you will see how to secure the SSH protocol and your login to the server. Even if SSH is very secure out of the box, there are several things that can be done to make it more secure and avoid all those of bot attacks.
(Note: For the Purpose of this tutorial Ubuntu will be used as the Client OS, Debian as the Server Os and SSH Protocol to provide the connection to the server. If you are a windows user, you can download PuTTY free software application, which provides SSH connection with your Server)
In this tutorial you will see and analyze the modules:
- Connect to remote server
- Create new User
- Use RSA key authentication
- Change SSH config file
Connect to remote server
Open the Terminal and type the command below to connect to the remote computer.
|
1 |
ssh root@195.251.127.254 |
(Note: You will connect as root user. On the IP field you can type your domain name such as example.com)
Create new User
After successful connection create a user account to the Server, so on the terminal write:
|
1 |
useradd -d /home/yourusername -s /bin/bash -c "Name FamilyName" yourusername |
then create your account folder
|
1 |
mkdir /home/yourusername |
and change the file owner
|
1 |
chown yourusername /home/yourusername |
and finally create a password for the account
|
1 |
passwd yourusername |
(Note: In the field yourusername add your account name instead of yourusername.)
In the next step install sudo (if it isn’t already installed) to add our account to the sudoers. So on the terminal type:
|
1 |
apt-get install sudo |
and next open the sudoers file using the nano editor:
|
1 |
nano /etc/sudoers |
Now in the file you will find the following line and will add your account name giving the same privileges as root account has.
|
1 2 |
root ALL=(ALL) ALL yourusername ALL=(ALL) ALL |
(Note: You could also add the option NOPASSWD: ALLto avoid typing the sudo password every time but it’s not recommended for security reasons.)
Use RSA key authentication
Read the post SSH using RSA-Key Authenticationwhich contains the following modules:
- SSH Protocol
- Run SSH – Connect to the Server
- Generate – Encrypt RSA Key
- Upload Key to Server
- Authorized Connection with Server
- Troubleshooting
(Note: Youmust create the .ssh/ directory for your public key inside of /home/yourusername)[/I][/B]
(Note: You need to upload your public key to the path where you created your account and not to the /root/.ssh/ directory but to the /home/yourusername/.ssh/)
Change SSH config file
After successfully creating and uploading of the public key, connect to the server once more again as root and navigate to the sshd_config file typing the following on the terminal:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunneled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes # AP: For resolving the long waiting time at login UseDNS no |
First, a good security tip is to change the standard SSH listening port. The option Port specifies on which port number ssh daemon listens for incoming connections. The default port is 22.
|
1 |
Port 20168 |
Next, confirm that RSAAuthentication and PubkeyAuthentication are set to yes
|
1 2 |
RSAAuthentication yes PubkeyAuthentication yes |
Next change the following lines from yes to no
|
1 2 |
PermitRootLogin no PasswordAuthentication no |
Allow only Protocol 2; protocol 1 is less secure and obsolete.:
|
1 |
Protocol 2 |
Limit the users or groups that can login in remotely.
|
1 2 3 4 |
AllowUsers yourusername AllowGroups yourgroup DenyUsers username DenyGroups namegroup |
Next we will change/add the ideal timeout interval.
|
1 2 |
ClientAliveInterval 300 ClientAliveCountMax 0 |
Next, if you are using a static IP you can set the SSH listening to only the specific ip for remote connection. The option ListenAddress specifies the IP address of the interface network on which the ssh daemon server socket is bound. The default is 0.0.0.0
|
1 |
ListenAddress xxx.xxx.xxx.xxx |
Make sure that PermitEmptyPasswords is set to no
|
1 |
PermitEmptyPasswords no |
Next we will specify how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
|
1 |
LoginGraceTime 600 |
Make sure that the option IgnoreRhosts is set to yes. The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication.
|
1 |
IgnoreRhosts yes |
Next set IgnoreUserKnownHosts to yes. IgnoreUserKnownHosts specifies whether the ssh daemon should ignore the user’s $HOME/.ssh/known_hosts during RhostsRSAAuthentication.
|
1 |
IgnoreUserKnownHosts yes |
Next we will set StrictModes. The option StrictModes specifies whether ssh should check user’s permissions in their home directory and rhosts files before accepting login. This option must always be set to yes because sometimes users may accidentally leave their directory or files world-writable.
|
1 |
StrictModes yes |
Set X11Forwarding to no. The option X11Forwarding specifies whether X11 forwarding should be enabled or not on this server.
|
1 |
X11Forwarding no |
Next we will set PrintMotd to yes. The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively.
|
1 |
PrintMotd yes |
Extra Security:
- Configure your firewall to allow only certain IP’s
- Install some brute force attack detectors
- Port knocking on one time passwords
- Install logcheck/logrotate to make log files reading easier.
Check the complete guide for securing the SSH Protocol unity 6 “System Access, Authentication, and Authorization”
Designed and Created by Liatsis Fotis for liatsisfotis.com
© 2013 Liatsis Fotis
Tagged tutorial.