Thursday, August 9, 2012

Securing SSH - Tips & Tricks

Strong Usernames/Passwords
To most of us, this comes as a no-brainer.  To others, not so much...  Regardless, the strength of username/password combinations is extremely important.  If the password being used is a dictionary word or could be derived from the username, there may as well be no password at all...  Ideally, passphrases should be used.  A passphrase is just like a password except for instead of using a word, a phrase would be used.  Passwords and passphrases alike should also be mangled.

Password             Passphrase
beach                   awalkonthebeachwouldbenicerightaboutnow

Unmangled          Mangled
demolitionman     d3m01Iti0Nm4N

Don't Use Port 22
Using the default port for ssh is not recommended.  By using default, outsiders can easily determine that SSH is running and begin connection/login attempts.  Changing the default port is simple, and can be done by editing the sshd configuration file.

[root@dem0 /]# vi /etc/ssh/sshd_config
Port 22 -> Port XYZ
[root@dem0 /]# service sshd restart

Disable root SSH Login
Allowing the root user to login via SSH presents a big security risk.  In my opinion, the root user account should be reserved for local access only.  Disabling root SSH access is as simple as editing the sshd configuration file.

[root@dem0 /]# vi /etc/ssh/sshd_config
PermitRootLogin yes -> PermitRootLogin no
[root@dem0 /]# service sshd restart

Limit User Login
Not all users need remote access.  Limit the number of users allowed by editing the sshd configuration file.

[root@dem0 /]# vi /etc/ssh/sshd_config
AllowUsers user1 user2
[root@dem0 /]# service sshd restart

Disable Protocol 1
Protocol 1 should only be used when a device specifically needs to use it.  To disable Protocol 1, edit the sshd configuration file.

[root@dem0 /]# vi /etc/ssh/sshd_config
Protocol 2, 1 -> Protocol 2
[root@dem0 /]# service sshd restart

Network Firewall
Network security depends on many different things - one being your firewall...

Accept SSH connections from only one IP (
[root@dem0 /]# iptables -A INPUT -p tcp -s --dport 22 -j ACCEPT

Log SSH attempts & allow ssh, unless 5 attempts have been made in the last 60 seconds.
[root@dem0 /]# iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsourse
[root@dem0 /]# iptables -A INPUT -p tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 5 --name ssh --rsource -j ACCEPT

Configure Key Based Authentication

[root@dem0 /]# ssh-keygen -t rsa          
[root@dem0 /]# chmod 700 ~/.ssh
[root@dem0 /]# chmod 600 ~/.ssh/id_rsa
[root@dem0 /]# scp ~/.ssh/ root@dem1:/tmp/dem0_pk
[root@dem0 /]# vi /etc/ssh/sshd_config
PasswordAuthentication Yes -> PasswordAuthentication No
[root@dem0 /]# service sshd restart

[root@dem1 /]# cat /tmp/dem0_pk >> ~/.ssh/authorized_keys
[root@dem1 /]# chmod 700 ~/.ssh
[root@dem1 /]# chmod 600 ~/.ssh/authorized_keys
[root@dem1 /]# ssh root@dem0
[root@dem0 ~]#

Install fail2ban
Often if a SSH server is publicly accessible, unauthorized users will attempt to login to your resources.  Attackers can be quickly stopped by installing fail2ban.  In this instance, fail2ban watches for failed SSH login attempts.  Once a predefined threshold is met (default is 5), the attacker would be banned for 10 minutes (default).  Installation and configuration is simple...

[root@dem0 /]# cd /tmp
[root@dem0 tmp]# wget
[root@dem0 tmp]# tar -xf fail2ban-0.8.4.tar.bz2 
[root@dem0 tmp]# cd ./fail2ban-0.8.4
[root@dem0 fail2ban-0.8.4]# python install
[root@dem0 fail2ban-0.8.4]# cp files/redhat-initd /etc/init.d/fail2ban
[root@dem0 fail2ban-0.8.4]# chkconfig --add fail2ban
[root@dem0 fail2ban-0.8.4]# chkconfig fail2ban on
[root@dem0 fail2ban-0.8.4]# cd /etc/fail2ban/ 
[root@dem0 fail2ban]# vi jail.conf
bantime = 600 -> bantime = 99999999999999999
maxretry = 5 -> maxretry = 3


enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 3

[root@dem0 fail2ban]# service fail2ban start

Install denyhosts
Another tool with functionality similar to fail2ban is denyhosts.

[root@dem0 /]# cd /tmp
[root@dem0 tmp]# wget
[root@dem0 tmp]# tar -zxvf  DenyHosts-2.6.tar.gz
[root@dem0 tmp]# cd DenyHosts-2.6
[root@dem0 DenyHosts-2.6]# python install
[root@dem0 DenyHosts-2.6]# cd /usr/share/denyhosts/
[root@dem0 denyhosts]# cp denyhosts.cfg-dist denyhosts.cfg
[root@dem0 denyhosts]# vi denyhosts.cfg
[root@dem0 denyhosts]# cp daemon-control-dist daemon-control
[root@dem0 denyhosts]# vi daemon-control
[root@dem0 denyhosts]# chown root daemon-control
[root@dem0 denyhosts]# chown 700 daemon-control
[root@dem0 /]# cd /etc/init.d/
[root@dem0 init.d]# ln -s /usr/share/denyhosts/daemon-control denyhosts
[root@dem0 init.d/]# chkconfig --add denyhosts

1 comment:

  1. Good Stuff! I've also found the Google Authenticator app useful for securing SSH. There's an easy how-to here.
    You can still trust a PC using the 'ssh-copy-id -i ~/.ssh/ user@host' to avoid having to enter the code each time.