Securing Your Secure Shell (SSH) Service

Securing Your Secure Shell (SSH) Service

Using higher SSH listening port number:

Generally hacker uses port scanner software to see whether hosts are running an SSH service. SSH listens for connections on port 22 so its wise to change the SSH port to a number higher than 1024 because most port scanners softwares don’t scan high ports securing your ssh service.

You can implement this by editing sshd_config file as :

Open the /etc/ssh/sshd_config file and look for the line that says:

Port 22

Change the port number (higher than 1024) and restart the SSH service: /etc/init.d/ssh restart

Using SSH protocol 2

ssh has two protocols it can use namely SSH1 and SSH2 protocol. SSH protocol 2 is much more secure as compare to protocol 1; you should make following changes in your sshd_config

Edit /etc/ssh/sshd_config and look for the line that says:

Protocol 2,1

Change the line so it says only protocol 2.

Allowing only specific users to log in via SSH

Securing root access is most important step for your server security.You should not permit root logins via SSH as if anyone gets root login for your system, he can do more damage than if he gains normal user login so its better to configure SSH server so that root user is not allowed to log in. To do this you have to edit sshd_config file in following way;

Find the line that says:

PermitRootLogin yes

Change option yes to no and restart the service.

You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised.

If you want only certain users should be able to log in via SSH then you can specify all of them in your sshd_config file For example, you want to allow users anze, dasa, and kimy to log in via SSH, you have to edit your sshd_config file and insert all users at the end of this file;

AllowUsers anze dasa kimy

Using TCP wrappers to allow only specific hosts to connect;

If you want only specific hosts on a network to be able to connect to your SSH service, and don’t want to use or mess up your iptables configuration then you can use TCP wrappers; Here you will make a rule to allow only specific hosts on your local subnet.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. You have to create a rule like this in /etc/hosts.deny:

sshd: ALL This means that all hosts are forbidden to access the SSH service. Next, create a rule in /etc/hosts.allow to allow only specific hosts to use the SSH service:

sshd: ip addresses of host

sshd: 192.168.1 Now only hosts from the network and the host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:

ssh_exchange_identification: Connection closed by remote host

Time-locking SSH session;

You can use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch.

*) In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

*) In a second example, iptables are set to allow only host to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s -m state --syn --state NEW --dport 22 -j DROP.

Note : ( After changing all required settings at /etc/ssh/sshd_conf you need to restart your ssh server daemon using : /etc/init.d/ssh restart ; in order to make all changes effective.)

Visit the WHUK website for more news, knowledge base articles, blog posts and information on our wide range of hosting services.


Pin It on Pinterest

Share This