Hi,
Some quick points here for how to secure SSH. what do people think ?
thanks.
How To-
Securing SSH
SSH is normally enabled by default on Linux installations, so it goes without saying that a few simple security measures are required to keep the box free from brute force attacks. These measures are part of the SSH configuration and no additional software is required.
If the machine is to be public facing then as a minimum I always follow these steps:
Change the port the daemon is running on
Remove access to root
Enable certificate public/private key authentication
**
Change the port**
The SSH daemon defaults to port 22. Changing the port the daemon runs on is very easy and is one of the best steps to securing the SSH daemon.
Open the /etc/ssh/sshd_config file using your favourite editor.
Find the line:
#Port 22
Change the number to a number higher than 1024. (These are privileged user ports.)
Port 1322
Note the removal of the # to enable the line.
Save and exit the file.
Restart the daemon (rcsshd restart) on SuSE / Redhat
Now connect to the daemon on the new port to check access:
ssh username@ipaddress -P 1322
note the use of the capitalised P for inserting a new port number…
All client tools from the ssh suite will need to be informed of the port number of the remote sshd daemon.
For example:
scp -P 1322 /home/user/file user@ipaddress/home/user/
would copy file to the remote system using port 1322.
**
Remove access to root**
Open the /etc/ssh/sshd_config file using your favourite editor.
Find the line:
#PermitRootLogin yes
Althought this is commented out, root is allowed by default so do not think root is not allowed!
Change the line to:
PermitRootLogin no
Note the removal of the # from the command. This will activate the command.
Save and exit the file.
Restart the ssh daemon (rcsshd restart) SuSE and Redhat
Enable certificate public/private key authentication
Enabling certificate authentication is a great way of securing a system. This works in conjunction with disabling password authentication.
It is easily configured, but steps need to be taken to secure the certificates.
From the remote system (client) that will be accessing the SSH server, issue the following command:
ssh-keygen -t rsa
The following will be displayed:
user@lintangerine:/etc/ssh> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Always always use a passphrase, this can contain spaces be as cryptic as you like. Just make it hard to guess.
Once the passphrase has been entered the following will be displayed:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
37:51:f7:a2:6c:44:77:20:99:79:7f:3e:50:5f:7b:19 user@lintangerine
The key’s randomart image is:
±- RSA 2048]----+
| +++…|
| o++.E.|
| . …o.B|
| + o +=|
| S o + …o|
| . o …|
| .|
| |
| |
±----------------+
The public key is copied to the .ssh directory of your user
/home/user/.ssh/id_rsa.pub
Change to the .ssh directory, and copy id_rsa.pub to a file called authorized_keys
cp id_rsa.pub authorized_keys
Now copy this file to the ssh server. (If you have changed the port use the new port!) In this example the SSH daemon is running on port 1567
scp -P 1567 /home/user/.ssh/authorized_keys user@sshserver/home/user/.ssh/authorized_keys
The certificate must be copied to the .ssh directory of the designated user on the remote server. If the .ssh directory does not exist for that user then create it. Allow read/write/execute access to that directory for that user only.
Once the file has copied, you can now test ssh access. You should no longer be prompted for a password but for the certificate passphrase.
Once you are happy that the certificates are working as expected you can disable password authentication in the ssh config file.
Be careful not to lock yourself out from the remote server after making this change!! Make sure the certificate access is definitely working!!
Using your favourite editor open up the ssh config file: (For me that is VI)
vi /etc/ssh/sshd_config
Find the following line :
Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
Change the ChallengeResponseAuthentication line to read:
ChallengeResponseAuthentication yes
Save and exit the file.
Restart the ssh daemon from the connected session. This will not disconnect your session.
Now open up a new shh connection to the server, keep you existing session alive in case you need to change the ssh settings again.
If you try and access the remote ssh server with an account that has no certificate enabled you will be given no password prompt just the following message:
Permission denied (publickey).
This is because the server is now expecting certificate based access only.
If you access the remote server with a user that has a valid certificate you will be prompted for the passphrase. On entering the passphrase you will be into the ssh session as normal.
Hopefully this will help you secure your ssh server easily and in a straightforward manner.
It is important to note that the use of certificates does mean that your private key is now your access in to the server. Keep this secure in a directory readable only by the person the key is intended for. It is also worth backing the key up in case of data loss. Again the backups must be stored securely.