SSH hardening

Q For some tasks I want to be able to run a remote shell (SSH I guess) on my server. I'm nervous of running extra services on the box though, and wonder if it is really safe to leave an SSH server running. Also, as I know nothing about it, I wonder if you have any tips for making it more secure.

A SSH is actually pretty secure by default, but of course, there are always ways to make it more secure. Most of these revolve around restricting the ways in which you can log in, the accounts you can log in to and the places you can log in from. By default, SSH enables a simple password login. With this method, when you connect to the SSH server as a user, you are prompted for the password. But of course, passwords can be guessed, so there are other methods available. SSH also allows login through a trusted key pair. This involves generating a key on the client, and copying the public part of the key to the SSH server's authorized_keys store. This is a useful way to quickly connect without needing to remember a password, but you can also turn off the password option on the SSH server. First make a key and copy it to the server:

ssh-keygen -t dsa
scp ~/.ssh/id_dsa.pub servername:.ssh/authorized_keys2

This assumes that you are logging in with the same username on both boxes. You'll need to edit the /etc/ssh/sshd_config file and change the line:

PasswordAuthentication yes

to

PasswordAuthentication no

Make sure you can log in with your key before you try this, especially on a remote server! While you have the file open, there are a couple of other tweaks to try. Find these two lines (they aren't together in the original):

PermitRootLogin yes
...
Protocol 2,1

and change them to:

PermitRootLogin no
Protocol 2

This prevents anyone from logging in directly as root. For root access, you will have to log in as a normal user and use su to get root access. The simple reason for this is that instead of having just one password to crack (or key, in our superhard example), any potential cracker will need to know two passwords and the name of a user account on the system - just a little bit harder to do. The second line there forces the server-client to use the more secure protocol for SSH communications. I can't think of a client that doesn't support it, so set this option now! In addition to forcing a user login, you may wish to restrict the individual users who can log in, since it is easy to guess some of the account names on any Linux box.

AllowUsers eric jeff mike degville

A simple space-separated list will restrict the accounts that can be accessed. If you want to be really harsh, you can link the accounts to particular sources, by appending a domain name of the originating server (be careful with this, as access from some sources may not always appear to come from the same IP address):

AllowUsers mike@linuxformat.co.uk eric@*.ac.uk

That should keep the evildoers out of SSH at least.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar