SSH Hardening Tips For Your Organization

What is SSH

Secure Shell is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. Secure Shell was created to replace insecure terminal emulation or login programs, such as Telnet,rlogin (remote login) and rsh (remote shell); SSH enables the same functions (logging in to and running terminal sessions on remote systems). SSH also replaces file transfer programs, such as File Transfer Protocol FTP and rcp (remote copy).

Change SSH port

SSH comes listening on port 22, which is widely known among attackers and security tools/port scanners that launch brute force attacks against it. While this is considered a security by obscurity, it helps to eliminate lots of noise on port 22.

Edit your SSH main config file.

nano -w /etc/ssh/sshd_config

Then change the port number.

Port 699

Using TCP Wrappers

This host-based ACL protection will help you to filter who can access the OpenSSH server. TCP Wrappers works using two files: /etc/hosts.allow and /etc/hosts.deny

Deny all connections from unknown hosts.

nano -w /etc/hosts.deny

Then add this line.

ALL : ALL

If you want to allow access from your static home IP for example, you should add this code to the allow file.

nano -w /etc/hosts.allow

Then add this line to the end of the file.

sshd : 121.10.91.90

Replace your ip here 121.10.91.90

SSH Passwordless Login

Password-based logins are good if you have a strong set of characters like symbols, uppercase, lowercase, and numbers, however, they all have the risk of brute-force cracking sooner or later.

The best, in this case, is to replace the old password-based logins with key-based logins that will increase your security, but also allow you to set an immediate fast SSH login without any prompt in the middle, as it happens when the SSH password is requested.

Create your SSH key using: ssh-keygen

[[email protected] ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/amal/.ssh/id_rsa):
Created directory '/home/amal/.ssh'.
Enter passphrase (empty for  no passphrase):
Enter same passphrase again:
Your identification has been saved in  /home/amal/.ssh/id_rsa.
Your public key has been saved in  /home/amal/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:u72tY6os9QxWxmBF+Iqpz7Brr9RMqCuT8cjanq4HbAQ [email protected]
The key's randomart image is:
+---[RSA 2048]----+
+o
E +
. . +
. . =
o . .o +S
o+ +o = .
+*o.oo +.
====.. ooo.
*BO=+.o.oo++.
+----[SHA256]-----+
[[email protected] ~]$

As you see, we avoided setting the passphrase… and that’s a contradiction, right? As we are setting a private key to authenticate without any passphrase, it is not as secure as you think.

What is the purpose of using a passphrase for SSH keys? Simple: encrypt your private key /home/amal/.ssh/id_rsa. So in this case, if an attacker is able to find it, it will be useless unless he knows the passphrase.

But, passphrases for SSH keys are not the best if you need to run automated tasks. That’s why most ssh keys don’t have any passphrase set. The workaround for this is an intermediate solution, like restrict SSH login using SSH keys to a particular IP address. Let’s try it.

In order to restrict the user sectrails9 to access the SSH server remotely using ssh-keys from a single static IP, you can use the “from” variable inside the authorized_keys file from the remote

system, as you see below.

nano -w /home/remoteuser/.ssh/authorized_keys

Add this line at the beginning of the file, before your private key.

from="102.128.10.11"

Replace ​102.128.10.11​ with your own IP.

Finally, it looks like this.

from="102.128.10.11" ssh-rsa AAAAB3NzaC1yc2EAAAA...

Strong passwords for ssh users and keys

If you are creating a strong password for SSH users it will help lots to attacks.

  • Uppercase & lowercase letters
  • Symbols.
  • Numbers.
  • Up to 8 characters if possible.

Avoid using:

  • Dictionary-based words.
  • Personal birthday and anniversary dates.
  • Family and pet names.
  • Following this tips will help you to set a strong password/passphrase and avoid getting hacked when a brute force attack is happening.

Disable OpenSSH server on the laptops and desktops

Some Linux distros come with OpenSSH Server enabled by default and while on Dedicated, VPS and Cloud servers, SSH access is a must in order to work remotely. Remove OpenSSH server to avoid unnecessary attacks.

yum remove openssh-server

Set Idle Timeout Interval

Idle timeout value allows terminating ssh sessions that are not actively used. This variable can be edited by altering the ClientAliveInterval value.

nano -w /etc/ssh/sshd_config

Edit this line.

ClientAliveInterval  190

In this case, we set 180 which equals to 3 minutes, once the timeout has been reached, the SSH session will be logged out automatically.

Limit max authentication attempts

We should set a low limit for the times an attacker can try to login with a failed password. MaxAuthTries variable can help you to mitigate this kind of attacks.

nano -w /etc/ssh/sshd_config

Search for MaxAuthTries. Set it to 5.

MaxAuthTries  5

Disable X11 forwarding

If you are running a remote server, having X11 (graphics server) forwarding capabilities doesn’t have too much sense, as you will always stay stick to your black and white remote terminal.

In order to disable X11.

nano -w /etc/ssh/sshd_config

Look for this variable.

X11Forwarding yes

Change it to be.

X11Forwarding  no

Enable login notifications over email

Write a quick script to send an alert once someone is logged in as root via SSH.

nano -w /root/.bashrc

Add the following lines to the end of the file.

echo 'ALERT - Root Shell Access (ServerName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]

Replace with your real email address.

Keep SSH updated

It’s the last step to keep updating your all services and OpenSSH.

yum update openssh*

Conclusion

We hope this article helped you learn how to solve SSH based attacks. SSH is an indispensable piece of the advanced world. It empowers one framework to get to another remotely in a safe way, implementing verification, approval, furthermore, encryption for correspondences. Are you looking for cheap web hosting service providers? Then this is your last destination to end your search. We at TheStack provide premium WordPress hosting, hybrid smart server hosting, SEO dedicated server hosting, and managed virtual private servers at the best price. So, what are you waiting for? Get in touch with us to know more.

Related Articles