{"id":559,"date":"2012-07-10T11:02:46","date_gmt":"2012-07-10T03:02:46","guid":{"rendered":"http:\/\/rmohan.com\/?p=559"},"modified":"2012-07-10T11:02:46","modified_gmt":"2012-07-10T03:02:46","slug":"securing-ssh","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=559","title":{"rendered":"Securing SSH"},"content":{"rendered":"

Securing SSH<\/h2>\n

 <\/p>\n

SH is how most administrators connect to their servers. It is also one of the most commonly attacked ports on a Linux Server. If you followed my previous tutorial about how to install fail2ban<\/a>, you\u2019ve probably noticed that you receive many emails about failed attacks. In this tutorial, I\u2019ll show a few more steps that can be taken to lock down the SSH daemon and your server even further.
\nBefore we begin, I\u2019d like to show you a few stats about your server. The following commands will show you some interesting information about the brute force attacks you\u2019ve been noticing on your server.<\/p>\n

First \u2013 Show the 5 most recently attacked user accounts on your system. In this list you may notice user accounts that don\u2019t even exist on your system. That is because someone is trying automated attacks against you:<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Next \u2013 Show the 5 most attacked accounts. Again, user accounts that don\u2019t exist may be in this list.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
awk 'gsub(\".*sshd.*Failed password for (invalid user )?\", \"\") {print $1}' \/var\/log\/secure* | sort | uniq -c | sort -rn | head -5<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Finally \u2013 Show the 5 most frequent attacker IP addresses. These are addresses that attempt to connect to your server.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
awk 'gsub(\".*sshd.*Failed password for (invalid user )?\", \"\") {print $3}' \/var\/log\/secure* | sort | uniq -c | sort -rn | head -5<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Securing SSH<\/strong><\/p>\n

Now that you can see what\u2019s coming at your server, what can you do about it? Below are a few steps you can take to secure SSH.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
vi \/etc\/ssh\/sshd_config<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

This is the main configuration file for SSH. All of our changes will be in here.<\/p>\n

The first setting we are looking for is Protocol<\/strong>. We want this changed to a 2<\/strong>. Most modern Linux Distributions already have this by default, but some may still allow the first version of the protocol to connect. We don\u2019t want this.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
Protocol 2<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Next, we are going to deny root<\/strong> the ability to log in via SSH. Root doesn\u2019t need direct access, because we have already set up sudo<\/a>. Find the PermitRootLogin<\/strong> setting and change it to no<\/strong>.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
PermitRootLogin no<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The next step is to limit the amont of time an unauthenticated session can hold open a connection. By default this is two minutes. This is way to long. Find the GraceLoginTime<\/strong> setting and change it to a more reasonable time. The value listed here is in seconds. The example below allows 30 seconds for a user to enter their password before the connection is closed.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
LoginGraceTime 30<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

The next one is to change the SSH port. It should be noted that this step brings no additional security to your system at all. It will, however, reduce the number of random, automated attacks that hit your server. Again, it will NOT bring additional security to your system. Find the Port<\/strong> setting and change it to another port. Common practice is to raise this above 1024, as everything below that is reserved for other programs.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
Port 22222<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Now when you connect to your server, you will need to modify your connection port to use 22222.<\/p>\n

Next, we can set up SSH to only allow whitelisted users or groups. The following will only allow users \u2018mary\u2019, \u2018john\u2019 and any user that starts with \u2018joe\u2019 to conenct. This line gets placed at the end of the file:<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
AllowUsers john mary joe*<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

This setting, alternatively, will allow all users from the \u2018sshusers\u2019 group to login<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
AllowGroups sshusers<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Finally, we can only allow users to log in using public\/private key pairs. How to set this up is beyond the scope of this tutorial, so if you don\u2019t know how to do so, do not change this setting:<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
PasswordAuthentication no<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Save and exit this file. Now we restart sshd<\/strong> and you are good to go.<\/p>\n

Note: Do not log out of your active SSH session after running this command until you have tested that you can connect. If you do and something does not work, you will be locked out of your server.<\/p>\n

\n
\n
<\/div>\n\n\n\n
\n
\n
service sshd restart<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

If you are able to log in using another Putty or SSH session, your changes have worked. Remember when you log in, if you changed your Port, you need to specify the new port.<\/p>\n","protected":false},"excerpt":{"rendered":"

Securing SSH <\/p>\n

 <\/p>\n

SH is how most administrators connect to their servers. It is also one of the most commonly attacked ports on a Linux Server. If you followed my previous tutorial about how to install fail2ban, you\u2019ve probably noticed that you receive many emails about failed attacks. In this tutorial, I\u2019ll show a few […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/559"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=559"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/559\/revisions"}],"predecessor-version":[{"id":560,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/559\/revisions\/560"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}