SSH is a door for your Linux server/machine. If the SSH isn’t secure enough, it may lead you to expose the Linux server for the attack (That’s what every attacker seeks). Well, I am too faced with this kind of problem very often, and on every machine deployed or assigned to me for hardening, I perform the following steps to secure the SSH from attacks.
Now, you might be thinking Is SSH secure?
Yes, SSH itself is pretty much secure. All the communications through SSH are always end-to-end encrypted. There are several options you can modify as per the requirements to add a extra layer of security for the SSH authentication. How? That’s why you are here, LOL!
First and formost, Login to your Linux Server,
someshz@Someshs-Air ~ % ssh [email protected]Now, you must know that SSH related configuration file is located at /etc/ssh/sshd_config. First, let us open and see what the default values we have under the SSH configuration file in Linux,
[root@lab ~]# cat /etc/ssh/sshd_config | more
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/
sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
-------More--------Wait, wait, it doesn’t look attractive, right? Let’s start with the configuration now,
- Changing SSH Default Port.
- Configuring the Idle Timeout.
- Disable Root Login.
- Configuring Limited SSH Access.
- Configuring SSH-Key based Authentication.
Before going further, I strongly recommend you to take a backup copy of your SSH configuration file. Not only this time, but whenever you are editing any configuration file, you must take it’s backup copy first.
[root@lab ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config-backupChange SSH Default Port
Every lame Linux user aware of the default SSH port i.e., 22. Let’s first change the default SSH port to something else,
Open /etc/ssh/sshd_config with your favorite text editor,
[root@lab ~]# vi /etc/ssh/sshd_configFind #Port and uncomment. Enter the desired port (Make sure it is not being used by any other service),
If you have any firewall active on the server, then make sure you whitelist the New SSH Port in it,
Firewalld
[root@lab ~]# firewall-cmd --add-port=2200/tcpIptables
[root@lab ~]# iptables -I INPUT -p tcp --dport 2200 -j ALLOWNext, save the file /etc/ssh/sshd_config and restart sshd deamon,
[root@lab ~]# systemctl sshd restartConfiguring the Idle Timeout
We often forget to disconnect the SSH session after completing the task. In this case, there are chances your baby boy can randomly fire commands in your absence that may lead to severe consequences,
Open /etc/ssh/sshd_config with your favorite text editor,
[root@lab ~]# vi /etc/ssh/sshd_configGo to last line and paste the following code,
#Configure the Idle Timeout
ClientAliveInternal 300
ClientAliveCountMax 0Save the file and restart sshd deamon,
[root@lab ~]# systemctl sshd restartSo, here we are setting 300 seconds as an idle timeout period; when there is no activity by the user side, then after 5 minutes (300 seconds) ssh session will be closed.
Disable Root Login
The root is the default administrator user for every Linux system. Getting a username is every attacker’s first practice to target a specific server, and then they will go for password cracking. Let’s now add a user, assign root privileges, and straightforwardly disable the default root user login.
Add user somesh and set password,
[root@lab ~]# useradd somesh
[root@lab ~]# passwd somesh
Changing password for user somesh.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.Add user somesh to wheel group,
[root@lab ~]# usermod -aG wheel somesh
[root@lab ~]# id somesh
uid=1000(somesh) gid=1000(somesh) groups=1000(somesh),10(wheel)Open /etc/ssh/sshd_config with your favorite text editor,
[root@lab ~]# vi /etc/ssh/sshd_configChange PermitRootLogin yes to PermitRootLogin no.
Save the file and restart sshd deamon,
[root@lab ~]# systemctl sshd restartConfiguring Limited SSH Access
In the working environment, there are several users who don’t require SSH access. In this case, you can modify the user and assign the /sbin/nologin non-interactive shell. You know what? You can allow SSH access to particular users only through the following configuration,
Open /etc/ssh/sshd_config with your favorite text editor,
[root@lab ~]# vi /etc/ssh/sshd_configEnter AllowUsers following with the username (Make sure the user/users have the required privileges),
AllowUsers somesh samual mercySave the file and restart sshd deamon,
[root@lab ~]# systemctl sshd restartConfiguring SSH-Key based Authentication
Linux has a most secure way to log in than traditional password authentication. You can have SSH-Key-based authentication for securely connecting to your Linux server,
Generate SSH Key
[root@lab ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): yes
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in yes.
Your public key has been saved in yes.pub.
The key fingerprint is:
SHA256:P1CBm/ltKI6QPgGNhrDzY9m9R38ugm+WInhc5o [email protected]
The key's randomart image is:
+---[RSA 3072]----+
| .. |
|. . . |
|.o o . =.. |
|+ + . + . |
| + + o. S= = |
| = =..o+++ + |
| . o o+*=ooo |
| o oO+..o |
| .E.o.o. |
+----[SHA256]-----+Copy the SSH Key
You can copy the generated SSH key to your local linux server,
[root@lab ~]# ssh-copy-id root@yourlocalip Using the above command, the generated SSH key on the Linux server will be stored in your local Linux server’s /root/.ssh/authorized_keys. So, the next time you log in, it will not ask you for the password. Make sure you have generated the SSH Key for the correct administrator user.
Also, you can use the generated key for the login through any command line terminal or application.
I hope this article helped you! If you have any queries feel free to drop me DM.
