قالب وردپرس درنا توس
Home / Tips and Tricks / The best ways to secure your SSH server

The best ways to secure your SSH server



  A stylized SSH prompt in a terminal window on a laptop.
Eny Setiyowati / Shutterstock.com

Secure your Linux system's SSH connection to protect your system and your data. Both system administrators and home users must cure and secure a computer that faces the Internet, but SSH can be complicated. Here are ten simple quick winners to protect your SSH server.

SSH Security Basics

SSH stands for Secure Shell. The name "SSH" is used interchangeably to mean either the SSH protocol itself or the software tools that allow system administrators and users to make secure connections to remote computers with that protocol.

The SSH protocol is an encrypted protocol designed to provide a secure connection over an unsecured network, such as the Internet. SSH in Linux is based on a portable version of the OpenSSH project. It is implemented in a classic client server model, with an SSH server that accepts connections from SSH clients. The client is used to connect to the server and to view the session to the remote user. The server accepts the connection and executes the session .

In its default configuration, an SSH server for incoming connections listens on TCP port 22 (Transmission Control Protocol). Since this is a standardized, well-known port, it is a target for threat actors and harmful bots.

Threat actors launch bots that scan a number of IP addresses looking for open ports. The gates are then examined for any vulnerabilities that can be exploited. To think, "I'm sure there are bigger and better goals than me for the bad guys to aim for," is false reasoning. The bots do not choose goals based on any merit; they are methodically looking for systems they can break.

You nominate yourself as a victim if you have not secured your system.

Security Friction

Security friction is the irritation ̵

1; to any degree – that users and others will experience when implementing security measures. We have long memories and can remember that we introduced new users to a computer system and heard them in a frightened voice if they really had to enter a password every time they logged in to the mainframe. This – for them – was security friction.

(By the way, the invention of the password is credited to Fernando J. Corbató, another figure in the pantheon of computer scientists whose unified work contributed to the circumstances that led to the birth of Unix.)

Introducing security measures usually involves some form of friction for someone . Entrepreneurs have to pay for it. Computer users may need to change their known methods, or remember another set of authentication information or add extra steps to connect successfully. The system administrators will have additional work to do to implement and maintain the new security measures.

Curing and locking down a Linux or Unix-like operating system can get very involved, very quickly. What we present here is a set of easy-to-implement steps that will improve your computer's security without the need for third-party applications and without digging through your firewall.

These steps are not the last word in SSH security, but they will move you far forward from the default settings and without too much friction.

Use SSH protocol version 2

In 2006, the SSH protocol was updated from version 1 to version 2. It was a significant upgrade. There were so many changes and improvements, especially regarding encryption and security, that version 2 is not backward compatible with version 1. To prevent connections from version 1 clients, you can specify that your computer only accepts connections from version 2 clients. [19659006] To do so, edit the file / etc / ssh / sshd_config . We will do this a lot throughout this article. When you need to edit this file, this command is to use:

  sudo gedit / etc / ssh / sshd_config 

  sudo gedit / etc / ssh / sshd_config in a terminal window

Add line: [19659018] Protocol 2

  sshd_config in gedit with the changes marked

And save the file. We will restart the SSH demon process. Again, we will do this a lot throughout this article. This is the command to be used in both cases:

  sudo systemctl restart sshd 

  sudo gedit / etc / ssh / sshd_config in a terminal window

Let's check that our new setting is in effect. We skip to another machine and try SSH for our test machine. And we use -1 (protocol 1) option to force command ssh to use protocol version 1.

  ssh -1 dave@howtogeek.local 

  ssh -1 dave@howtogeek.local in a terminal window

Well, our connection request is rejected. Let's make sure we can still connect to Protocol 2. We use -2 (Protocol 2) to prove the fact.

  ssh -2 dave@howtogeek.local 

  ssh -2 dave & # 39; howtogeek.local in a terminal window

The fact that the SSH server is requesting our password is a positive indication that the connection has made and that you interact with the server. Because modern SSH clients actually use Protocol 2, we do not actually need to enter Protocol 2 as long as our client is up to date.

  ssh dave@howtogeek.local 

  ssh dave@howtogeek.local in a terminal window

And our connection is accepted. So only the weaker and less secure Protocol 1 connections are rejected.

Avoid Port 22

Port 22 is the default port for SSH connections. If you use a different port, it adds some security through obscurity to your system. Security through ambiguity is never considered a real security measure, and I have counted against it in other articles. In fact, some of the smarter attack bots are all investigating open gates and deciding what service they are doing, rather than relying on a simple lookup list of gates and assuming they provide the usual services. But using a non-standard port can help reduce noise and bad traffic in port 22.

To configure a non-standard port, edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config [19659041] Goat SSH configuration file with changes marked " width="646" height="342" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

Remove the hash # from the beginning of the "Port" row and replace "22" with the port number you select. Save your configuration file and restart the SSH daemon:

  sudo systemctl restart sshd 

Let's see what effect it has had. Transfer on our second computer we will use the command ssh to connect to our server. The command ssh defaults to use port 22:

  ssh dave@howtogeek.local 

 ssh dave@howtogeek.local in a terminal window

Our connection is rejected. Let's try again and enter port 470 with the -p (port) option:

  ssh -p 479 dave@howtogeek.local 

 ssh -p 479 dave@howtogeek.local in a terminal window [19659006] Our connection is accepted.

Filter connections with TCP Wrappers

TCP Wrappers is an easy-to-understand access checklist. It allows you to exclude and allow connections based on the properties of the connection request, such as IP address or host name. TCP covers should be used with, and not instead of, a properly configured firewall. In our specific scenario, we can tighten things up significantly by using TCP wraps.

TCP cover was already installed on Ubuntu 18.04 LTS machine used to examine this article. It must be installed on Manjaro 18.10 and Fedora 30.

To install on Fedora, use this command:

  sudo yum install tcp_wrappers 

 sudo yum install tcp_wrappers in a terminal window [19659006] To install on Manjaro, use this command:

  sudo pacman -Syu tcp-wrappers 

 sudo pacman -Syu tcp-wrappers in a terminal window

There are two files involved. One has the allowed list, and the other has the denied list. Edit the denial list with:

  sudo gedit /etc/hosts.denyvud19659044 Premium1919909053sudo gedit /etc/hosts.deny in a terminal window " width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

This opens the gedit editor with the deny file.

 hosts.deny file loaded in goat

You must add the line:

  ALL: ALL 

And save the file. It blocks any unauthorized access. We must now approve the connections you want to accept. To do so, you must edit the allowed file:

  sudo gedit /etc/hosts.allow Chapter19659044 ???? 1919909057 ?? sudo gedit /etc/hosts.allow in a terminal window " width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

This will opens the gedit editor with the allowed file loaded into it.

 hosts.allow file loaded in goat with edits highlightsd

We have added in SSH daemon name, SSHD and the IP address of the computer we will allow to do a connection. Save the file and let's see if the restrictions and permissions are in effect.

First, we try to connect from a computer that is not in the hosts.allow file:

 SSH connection was rejected by TCP cover "width =" 576 "height =" 97 "src =" / sidespeed_static / 1.JiBnMqyl6S.gif "onload =" sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this); "onerror =" this. onerror = null; sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);

The connection is refused. We will now try to connect from the machine at IP address 192.168.4.23:??19659006????1919909063SSSS connection allowed by TCP cover " width="646" height="77" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/>

Our connection is accepted.

Our example here is a bit brutal - Only a single computer can connect. TCP covers are quite versatile and more flexible than this. It supports host names, wildcards and subnet masks to accept connections from different IP addresses. You are encouraged to check out the men's page.

Reject connection requests without a password

Although this is a bad practice, a Linux system administrator can create a user account without a password. This means that remote access requests from that account have no password to check against. These connections are accepted but not authenticated.

The default settings for SSH accept connection requests without a password. We can change it very easily and make sure all connections are authenticated.

We need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 SSH config file loaded in gedit with the edits highlgihted "width =" 646 "height =" 267 "src = "/ sidespeed_static / 1.JiBnMqyl6S.gif" onload = "sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this); "onerror =" this.onerror = null; lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);

Browse the file until you see the line that reads "#PermitEmptyPasswords no." Remove the hash # from the beginning of the line and save the line file. Restart the SSH daemon:

  sudo systemctl restart sshd 

Use SSH keys instead of passwords

SSH keys provide a secure way to log in to an SSH server. Passwords can be guessed, cracked or forced. SSH keys are not open to such types of attacks.

When you generate SSH keys, you create a pair of keys. One is the public key and the other the private key. The public key is installed on the servers you want to connect to. The private key, as the name implies, is kept secure on your own computer.

SSH keys allow you to make connections without a password that are - on the contrary - more secure than connections that use password authentication.

When you make a connection request, the remote computer uses its copy of your public key to create an encrypted message that is sent back to your computer. Because it was encrypted with your public key, your computer can decrypt it with your private key.

Your computer then extracts some information from the message, especially the session ID, encrypts it and sends it back to the server. If the server can decrypt it with its copy of your public key, and if the information in the message matches what the server sent to you, your connection is confirmed to come from you.

Here, a connection to the server 192.168.4.11 is created by a user with SSH keys. Note that they are not prompted for a password.

  ssh dave@192.168.4.11 

<img class = "alignnone size-full wp-image-443261" data-pagespeed-lazy-src = "https://www.howtogeek.com/wp-content/ uploads / 2019/10 / x8.png.pagespeed.ce.mVUGFPuVf1.png "alt =" SSH request authenticated by the SSH key in a terminal window "width =" 646 "height =" 367 "src =". Handily, we have one for you How to create and install SSH keys

RELATED: How to create and install SSH keys from Linux Shell [19659010] Disable Password Authentication Completely

Of course, the logical extension of using SSH keys is that if all remote users are forced to adopt them, you can turn off password authentication completely.

We need to edit your SSH configuration file: [19659018] sudo gedit / etc / ssh / sshd_config

 gedit editor with ssh configuration file loaded and edited highlighted "width = "646" height = "217" src = "/ sidespeed_static / 1.JiBnMqyl6S.gif" onload = "sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this); "onerror =" this.onerror = null; sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);

Browse the file until you see the line beginning with "#PasswordAuthentication yes." Remove hash [rad]. # from the beginning of the line, change "yes" to "no", and save the file. Restart SSH Demon:

  sudo systemctl restart sshd 

Disable X11 Forwarding

X11 Forward allows remote users to run graphical applications from your server during an SSH session. In the hands of a threat actor or malicious user, a GUI interface can facilitate their malicious purposes.

A standard mantra in cybersecurity is that if you do not have a good reason to leave it on, turn it off. We do this by editing your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

<img class = "alignnone size-full wp-image-443312" data-pagespeed-lazy-src = "https : //www.howtogeek.com/wp-content/uploads/2019/10/11-1.png.pagespeed.ce.9Tg7cyjYQK.png "alt =" gedit editor with ssh configuration file loaded, and edits marked "width = "646" height = "227" src = "/ sidespeed_static / 1.JiBnMqyl6S.gif" onload = "sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);" onerror = "this.onerror = null; sidespeed.lazyLoadImages.6 ]] Scroll through the file until you see the line beginning with “# X11Shipping #” Remove hash # from the beginning of the line and save the file Restart the SSH daemon:

  sudo systemctl restart sshd [19659082] Set an Idle Timeout value 

If there is an established SSH connection to your computer and there has been no activity on it for a period of time This can pose a security risk. There is a chance that the user has left his desk and is busy elsewhere. Anyone who goes past their desk can sit down and start using their computer and via SSH, your computer.

It is much safer to set a time limit. The SSH connection will be lost if the inactive period matches the time limit. Once again, we will edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

<img class = "alignnone size-full wp-image-443267" data-pagespeed-lazy-src = " https://www.howtogeek.com/wp-content/uploads/2019/10/x12-1.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw+ri+cp+ md.ic.SI-kgHqP0o.png "alt =" gedit editor with SSH configuration file loaded and edits marked "width =" 646 "height =" 277 "src =" / sidespeed_static / 1.JiBnMqyl6S.gif "onload =" sidespeed .lazyLoadImages.loadIfVisibleAndMaybeBeacon (this); "onerror =" this.onerror = null; sidespeed.lazyLoadImages.loadIfVisible59C00] [detta] Browse the file until you see the line beginning with "#ClientAliveInterval 0" Delete 0 from the beginning of the line, change the number 0 to the desired value We have spent 300 seconds, which is 5 minutes Save the file and restart the SSH daemon:

  sudo systemctl restart sshd 

Set a password limit rsök

Defining a limit to the number of authentication attempts can help to prevent password guessing and brute-force attacks. After the specified number of authentication requests, the user will be disconnected from the SSH server. By default, there is no limit. But it is addressed quickly.

We again need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 gedit editor with the ssh configuration file loaded, and changes marked "width =" 646 "height =" 252 "src =" / sidespeed_static / 1.JiBnMqyl6S.gif "onload =" sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this); "onerror =" this.onerror = null; sidespeed.lazyLoadVisBeacon);

Browse the file until you see the line beginning with "#MaxAuthTries 0". Remove hash # from the beginning of the line, changing the number 0 to the desired value. We have used 3 here. Save the file when you made your changes and restart the SSH daemon:

sudo systemctl restart sshd

We can test this by trying to connect and consciously enter an incorrect password.

 The user is disconnected after two bad authentication attempts in a terminal window "width =" 646 "height =" 147 "src =" / sidespeed_static / 1.JiBnMqyl6S.gif "onload =" sidespeed.lazyLoadImages.loadIfVisibleAndVbeible ; "onerror =" this.onerror = null; sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);

Note that the MaxAuthTries number appeared to be more than the number of attempts the user allowed. After two bad attempts, our test users are disconnected. This was with MaxAuthTries set to three.

Disabling Root Log Ins

It is bad to log in as root on your Linux computer. You should log in as a normal user and use sudo to perform actions that require root privileges. Even more, you should not allow root to log into your SSH server. Only ordinary users should be allowed to connect. If they need to perform an administrative task, they should use sudo as well. If you are forced to allow a root user to log in, you can at least force them to use SSH keys.

For the last time, we need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 gedit editor with the ssh configuration file loaded, and edits marked "width =" 646 "height = "232" src = "/ sidespeed_static / 1.JiBnMqyl6S.gif" onload = "sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);" onerror = "this.onerror = null; sidespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon (this);

Browse the file until you see the line that starts "prohibit-password" Remove hash # from the beginning of the line.

  • If you want to prevent root logging at all, replace "prohibit-password" with "no".
  • If you want to allow root to log in but force them to use SSH keys, leave the "ban password" in place.

Save your changes and restart SSH daemon:

   sudo systemctl restart sshd  

The Ultimate Step

Of course, if you do not need SSH running on your computer at all, make sure it is disabled. [19659019] sudo systemctl stop sshd

  sudo systemctl disable sshd 

If you do not open the window, no one can climb.




Source link