OpenSSH server is the standard SSH client and server. OpenSSH is suggested for remote login, transfer file by means of SCP or SFTP, and a much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two systems and networks. OpenSSH encrypts all traffic and password to effectively eliminate with assaults. In other words, we can say that \u201cOpenSSH secure that the connection\u201d.<\/p>\n
OpenSSH Security Files and SSH Port<\/p>\n
\/etc\/ssh\/sshd_config \u2013 OpenSSH server configuration file.
\n\/etc\/ssh\/ssh_config \u2013 OpenSSH client configuration file.
\n~\/.ssh\/ \u2013 Users ssh configuration directory.
\n~\/.ssh\/authorized_keys \u2013 Lists the public keys (RSA or DSA) that can be used to log into the user\u00e2\u20ac\u2122s account
\n\/etc\/nologin \u2013 If this file exists, sshd refuses to let anyone except root log in.
\n\/etc\/hosts.allow and \/etc\/hosts.deny \u2013 Access controls lists that should be enforced by tcp-wrappers are defined here.
\nSSH default port \u2013 TCP 22<\/p>\n
1: Only Use SSH Protocol 2<\/p>\n
SSH has two protocol versions, the old protocol 1 which is insecure and the new protocol 2. SSH version is obsolete and should be avoided at all cost.<\/p>\n
Protocol 2
\n2: Limit Users and Group SSH Access<\/p>\n
You can configure SSH to permit only certain users or group to log in. By default, all users and group can login using their password or public key. In any case, for Secure SSH server, we should say exactly which Users or group can connect SSH Server. I am using this tool provides another layer of security.<\/p>\n
Allow user\u2019s and group\u2019s through SSHD configuration file:<\/p>\n
AllowUsers root dennis
\nAllowGroups sshgroup
\nAlso Deny user\u2019s and group\u2019s through SSHD configuration file:<\/p>\n
class=”pretty”>
\nDenyUsers kapil suresh
\nDenyGroups sshgroup
\n3: Configure Idle Log Out Timeout Interval<\/p>\n
User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Sets a timeout interval in seconds after which if no data has been received from the client.<\/p>\n
ClientAliveInterval 300
\nClientAliveCountMax 0
\n4: Disable .rhosts Files<\/p>\n
Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. Update the SSHD configuration file.<\/p>\n
IgnoreRhosts yes
\n5: Disable Host-Based Authentication<\/p>\n
This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. The default is \u201cno\u201d.<\/p>\n
HostbasedAuthentication no
\n6: Disable root Login via SSH<\/p>\n
There is no need to allow login directly as root. First normal users access the server and then use su or sudo to access with root. To disable root login update below entry in SSHD configuration file.<\/p>\n
PermitRootLogin no
\n7: Enable a Warning Banner<\/p>\n
The contents of the specified file are sent to the remote user before authentication is allowed. Also its important to set a warning banner.<\/p>\n
Banner \/etc\/techoism.txt
\nSample Content:<\/p>\n
####################################################################################################################
\n# Welcome to Techoism Server #
\n# All connections are monitored and recorded #
\n# Disconnect IMMEDIATELY if you are not an authorized user! #
\n####################################################################################################################
\n8: Limit SSH Access by IP Address via IPtables<\/p>\n
You need to firewall ssh port # 22 by updating IPtables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.<\/p>\n
First block all the SSH connection.<\/p>\n
# iptables -I INPUT -p tcp -m tcp –dport 22 -j REJECT
\nNow enable specific SSH connection.<\/p>\n
# iptables -A INPUT 1 -p udp -s 192.168.15.0\/24 –dport 22 -j ACCEPT
\n# iptables -A INPUT 1 -p udp -s 172.16.5.0\/24 –dport 22 -j ACCEPT
\n9: Change SSH Port<\/p>\n
By default SSH listen port 22. We nee to change the SSH port no to secure the connection.<\/p>\n
Port 3527
\n10: Limit IP Binding<\/p>\n
If that port is not indicated, sshd listen on the address. By default, it listens to all the address. We can define multiple addresses also.<\/p>\n
ListenAddress 10.230.5.6
\nListenAddress 10.200.5.6
\n11: Use Public Key Based Authentication<\/p>\n
Rather than using a normal password-based login, a better way is using public key authentication. Keys are viewed as substantially more secure Disable PasswordAuthentication to force users to use the key.<\/p>\n
PubkeyAuthentication yes
\nPasswordAuthentication no
\n12: Use Keychain Based Authentication<\/p>\n
OpenSSH offers RSA and DSA verification to remote systems without providing a password. keychain is a unique bash script designed to make key-based authentication. It offers different security benefits over passphrase keys.<\/p>\n
See how to setup and use keychain software.<\/p>\n
13: SSHD Chroot Jail<\/p>\n
By default, users can access all the server directories like \/etc, \/bin, \/sbin and so on. Now you can protect you ssh using chroot jail. This service is released in the latest version of OpenSSH, so no need to use any third party to block the user\u2019s access.<\/p>\n
Click here to configure the Chroot Jail for you user.<\/p>\n
14: Disable Empty Passwords<\/p>\n
When you want to secure the connection with password authentication, then you need to update the SSHD configuration file to specifies whether the server allows login to accounts with empty password strings. The default is \u201cno\u201d.<\/p>\n
PermitEmptyPasswords no
\n15: Use Log Analyzer<\/p>\n
Gives the verbosity level that is used when logging messages from SSHD. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.<\/p>\n
LogLevel INFO
\nI hope this article will help you to secure your server.<\/p>\n
Enjoy it!<\/p>\n","protected":false},"excerpt":{"rendered":"
OpenSSH server is the standard SSH client and server. OpenSSH is suggested for remote login, transfer file by means of SCP or SFTP, and a much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two systems and networks. OpenSSH encrypts all traffic and password to effectively eliminate with assaults. In […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6980"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6980"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6980\/revisions"}],"predecessor-version":[{"id":6981,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6980\/revisions\/6981"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6980"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}