ScaleScaleScaleScale

Tips / Nginx


Top 10 Steps to Secure Your SSH Server

SSH means Secure Shell, and it’s a protocol designed to allow secure communications between different hosts using an encrypted connection. SSH servers allow users to log into remote hosts, run commands and operate network services, securely. In order to establish an SSH connection, you need two parts: the SSH client and the SSH server.

A very big part of SSH security relies on how the SSH Server is configured. Today, you will learn about the Top 10 security tips to harden your SSH server.

10 Steps to Secure Your SSH Server

First, you have to locate your open SSH main server configuration file, as most of the security tips focus on modifications of this file. On most Linux distributions, it can be found at:

/etc/ssh/sshd_config

1. Use a different port than 22.

Edit your sshd_config file, and set one different than 22:

Port 227

This will prevent brute force attacks against the default SSH port.

2. Use Protocol SSH 2 only.

Almost all Linux distributions already come with Protocol 2 as default, but always make sure this is set as:

Protocol 2

SSH Protocol 1 is very insecure, allows man-in-the-middle attacks and has a lot of known vulnerabilities.

3. Disable root login.

Direct root logins are insecure by default, even more if the root password is weak. The best way to protect direct root logins is to require a primary user to log in via SSH, and then log in as root if it’s really necessary.

Add the primary user for the SSH connection and set a new password:

useradd john
passwd john

Edit the sshd_config file and set:

PermitRootLogin no
AllowUsers john #if this line doesn't exist, just add it

This will disable root login and allow user “john” to log in via SSH, where once he is logged in he can perform a simple ‘su -‘ to become root user.

4. Avoid listening on all interfaces.

By default, the SSH server listens on all network interfaces. Secure this and allow SSH to listen only on one predefined interface:

ListenAddress XX.XX.XX.XX

Replace “XX.XX.XX.XX” with your real server IP.

5. Address Misc Security options

Apply changes to your sshd_config file. StrictModes forces the SSH server to check a user’s permissions in their home dir and rhosts files before accepting login.

StrictModes yes

LoginGraceTime defines how long the SSH server will wait until disconnecting if the user hasn’t successfully logged in.

LoginGraceTime 120

If you don’t need port forwarding, set this to ‘no’:

AllowTcpForwarding no

You don’t need any X11 stuff if you are terminal only nerds:

X11Forwarding no

Print last log of the established connections:

Printlastlog yes

Disable logging into accounts with null passwords:

PermitEmptyPasswords no

Set up your Welcome banner by editing /etc/motd file, add the text that you need, and it will be displayed on your next shell logins (local and remote). Example:

[user@localhost ~]$ ssh user@remotehost.com

Last login: Sat Oct 31 09:11:53 2015 from XX.XX.XX.XX

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

[user@remotehost ~]$

6. Use public_keys instead of passwords.

Check out this tutorial on how to log into an SSH Server using public keys: SSH Login without passwords using public keys. After you ensure that public key access is working, edit your sshd_config file and disable password authentication:

PasswordAuthentication no

7. Limit connections using TCPWrappers.

TCPWrappers are one of the best ways to secure your SSH Server by setting who can connect to which servers. ONLY use this if you have a static IP address with your local internet provider. If you use dynamic IPs and use Tcpwrappers, it will probably lock you out of your server.

Edit /etc/hosts.allow file and add this line to allow connections from your local network IP (replace “XX.XX.XX.XX” with your real public IP):

sshd : XX.XX.XX.XX

Then, at the /etc/hosts.deny file, deny all of the rest of the incoming SSH connections:

sshd : ALL

8. Limit SSH connections using a Firewall.

If you are using an iptables firewall like CSF, you can set a limit to the incoming SSH connections and how many times it will fail before it gets blocked:

Edit /etc/csf/csf.conf and set:

LF_SSHD = "5"

Restart the firewall to apply changes:

csf -r

9. Activate Port Knocking.

Port knocking is a security technique that relies on knocking pre-defined ports on the SSH Server in order to allow the establishment of the SSH connection from a remote host. Follow this tutorial to activate Port Knocking on your iptables rules: How to enable Port Knocking on CentOS

10. Integrate Google Authenticator.

2 factor authentication is here to stay. It’s widely used in web based logins, and you can also integrate 2 step authentication into your SSH logins. Check out these cool tutorials:

Conclusion

SSH is still one of the most used network services on Linux and BSD servers. It can be a powerful tool to connect and control servers, but it also can become your worse nightmare if you don’t secure it properly. After following these 10 steps, you should have a much more secure SSH server.  Do you have any other SSH Security tip? Share in the comments.

Popular search terms:

  • best way to secure ssh
  • how to secure nginx debian server
  • how to secure nginx ports
  • nginx ssh
profile

Esteban Borges

Linux Geek, Webperf Addict, Nginx Fan. CTO @Infranetworking