[Howto]: Five Minute Guide to Securing SSH
If you are like most administrators (and you installed SSH with the default settings), you will quickly see a steady stream of script-based attacks hitting port 22, in your firewall, system, or auth logs. The vast majority of these system break-ins attempts (through ssh) are accomplished through simple brute-force attack scripts.
Fear not, there are some very simple ways to configure your SSH daemon to radically cut your exposure to script kiddie attacks and slow down brute force attacks against your system.
There are three preferred ways to secure the SSH daemon: 1) strengthening the default configuration, 2) use port knocking, and 3) disabling password-based authentication entirely, forcing the use of RSA/DSA keys instead. This article will discuss making simple changes to the default configuration file (/etc/ssh/sshd_config).
Depending on your distribution, the ssh server config file can reside in different places so you will need to determine the location for yourself. However, the default seems to be that it would reside in /etc/ssh and would be called sshd_config.
Here are the basic steps:
- Running SSH daemon on a different port.
- Denying root logins over SSH
- Allowing only users running protocol 2 to connect to the server
- Permitting a limited number of authorization retries.
- Allowing only certain specified users to log in.
Change the port. One of the simplest and most effective ways to cut down brute force attacks, is the most simple -- change the default port. Change the port and 99% of attacks go away. In sshd_config there will be a line like "Port 22" it may be commented out as port 22 is the default. You need to uncomment that line if needed and change the port number to something else.
# Port 22 Port 2222
Disable root login. You should never allow unfettered access to the root account over ssh. This is done be setting the line "PermitRootLogin" to "no".
#PermitRootLogin yes PermitRootLogin no
Disable insecure Protocol 1. Disable Protocol 1 and only allow Protocol 2.
#Protocol 1,2 Protocol 2
Set MaxStartups. MaxStartups parameter limits the number of concurrent unauthenticated connections, therefore attacker won't be able to run more than a certain parallel attempts at logging in.
#MaxStartups 10 MaxStartups 3:50:10
The example above tells the ssh server to, "allow 3 users to attempt logging in at the same time (concurrently), and to randomly and increasingly drop connection attempts between 3 and the maximum of 10."
Set MaxAuthTries. If you server becomes the target of a dictionary attack, the attacker will repeatedly try various usernames and passwords. MaxAuthTries is a parameter which tells the daemon how many bad attempts to allow before disconnecting.
#MaxAuthTries MaxAuthTries 3
Only Allow Specific Users to Login. By default, all valid users on the system are allowed to log in. A more secure policy is to explicitly specify the accounts which are allowed to login. You can do this by specifying the user accounts after "Allow Users":
AllowUsers joe john
Labels: Linux
