Wednesday, July 27, 2011

SSH security and configuration

With some of the previously illustrated code examples, many good systems administrators are nervous about some of the security implementations for SSH usage and functions. Although much has been said and written about the various approaches to SSH security and remote host security in general, here is a list of processes and configurations that you can use to tighten and enhance SSH security with regard to remote host access:
  • Restrict the root account to console access only:
# vi /etc/ssh/sshd_config
PermitRootLogin no

  • Create private-public key pairs using a strong passphrase and password protection for the private key (never generate a password-less key pair or a password-less passphrase key-less login):
(Use a higher bit rate for the encryption for more security)
ssh-keygen -t rsa -b 4096

  • Configure TCP wrappers to allow only selective remote hosts and deny undesirable hosts:
# vi /etc/hosts.deny
ALL:                # IP Address of badguy

  • On workstations or laptops, disable the SSH server by turning off the SSH service, and then removing the ssh server package:
# chkconfig sshd off
# yum erase openssh-server

  • Restrict SSH access by controlling user access:
# vi /etc/ssh/sshd_config
AllowUsers fsmythe bnice swilson
DenyUsers jhacker joebadguy jripper

  • Only use SSH Protocol 2:
# vi /etc/ssh/sshd_config
Protocol 2

  • Don't allow Idle sessions, and configure the Idle Log Out Timeout interval:
# vi /etc/ssh/sshd_config
ClientAliveInterval 600            # (Set to 600 seconds = 10 minutes)
ClientAliveCountMax 0

  • Disable host-based authentication:
# vi /etc/ssh/sshd_config
HostbasedAuthentication no

  • Disable users' .rhosts files:
# vi /etc/ssh/sshd_config
IgnoreRhosts yes

  • Configure firewalls to accept SSH connections only from know network segments:
Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only
from and, enter:

-A RH-FW-1-INPUT -s -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-FW-1-INPUT -s -m state --state NEW -p tcp --dport 22 -j ACCEPT

  • Restrict the available interfaces that SSH will listen on and bind to:
# vi /etc/ssh/sshd_config

  • Set user policy to enforce strong passwords to protect against brute force, social engineering attempts, and dictionary attacks:
# < /dev/urandom tr -dc A-Za-z0-9_ | head -c8

  • Confine SFTP users to their own home directories by using Chroot SSHD:
# vi /etc/ssh/sshd_config
ChrootDirectory /data01/home/%u
X11Forwarding no
AllowTcpForwarding no

  • Disable empty passwords:
# vi /etc/ssh/sshd_config
PermitEmptyPasswords no

  • Rate-limit the number of incoming port 2022 connections within a specified time:
Redhat iptables example (Update /etc/sysconfig/iptables):

-A INPUT  -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min
--limit-burst 3 -j ACCEPT

-A INPUT  -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT

  • Configure iptables to allow only three connection attempts on port 2022 within 30 seconds:
Redhat iptables example (Update /etc/sysconfig/iptables):
-I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set

-I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update
--seconds 30 --hitcount 3 -j DR

  • Use a log analyzer such as logcheck, loggrep, splunk, or logwatch to better understand the logs and create logging reports. Also, increase logging verbosity within the SSH application itself:
Installation of the logwatch package on Redhat Linux
# yum install logwatch

  • Configure an increase in SSH logging verbosity:
# vi /etc/ssh/sshd_config
LogLevel DEBUG

  • Always keep the SSH packages and required libraries up to date on patches:
# yum update openssh-server openssh openssh-clients -y

  • Conceal the OpenSSH version, require SSH source code, and re-compile. Then, make the following updates:
# vi /etc/ssh/sshd_config
VerifyReverseMapping yes  # Turn on  reverse name checking
UsePrivilegeSeparation yes         # Turn on privilege separation
StrictModes yes                    # Prevent the use of insecure home directory   
                                   # and key file permissions
AllowTcpForwarding no              # Turn off , if at all possible
X11Forwarding no          # Turn off , if at all possible
PasswordAuthentication no # Specifies whether password authentication is
                                   # allowed.  The default is yes. Users must have
                                   # another authentication method available .

  • Delete the rlogin and rsh binaries from the system, and replace them with a symlink to SSH:
# find /usr -name rsh
# rm -f /usr/bin/rsh
# ln -s /usr/bin/ssh /usr/bin/rsh

SSH supports numerous, diverse methods and techniques for authentication that you can enable or disable. Within the /etc/ssh/sshd_config file, you make these configurations changes by entering the keyword listed for the authentication method followed by yes or no. Here are some of the common configuration changes:
# RSAAuthentication yes           
# PubkeyAuthentication yes                 
# RhostsRSAAuthentication no
# HostbasedAuthentication no
# RhostsRSAAuthentication and HostbasedAuthentication
PasswordAuthentication yes
ChallengeResponseAuthentication no
# KerberosAuthentication no
GSSAPIAuthentication yes

The keywords AllowedAuthentications and RequiredAuthentications within the sshd_config file dictate which authentication methods and configurations are used with SSH Protocol 2 only, and the syntax for them to allow password and public key authentication is as follows:

# vi /etc/ssh/sshd_config
AllowedAuthentications publickey, password
RequiredAuthentications publickey, password

No comments:

Post a Comment