Lock down! SSH lock down!

Everybody that uses Linux, one way or another, will be using the command line for admin. Sure you can have those graphical tools to do the job, but there is nothing like the command line for this. And if you manage a couple of remote machines, the only way you can get with this, is using the command line via SSH. Although this is a discussed subject, I went to a few steps the other day, on a personal remote server, to improve SSH security, to a level I can sleep good at night. So let me show you what I did…
To resume, here is my path to security:

• Changed default listen port (default is 22)
• Only allow SSH protocol 2 (there are 2 versions of SSH, version 2 is far more secure)
• Disabled root login
• Allowed only some users to login
• Disabled password login
• Set up a private/public key method for authentication
• Set a a firewall rule for those script kiddies who like to knock on my server doors

These were the steps, and believe me, it’s not that big a deal to go through them. Let’s now describe each one!

Default Listen Port
By default, the Open SSH server comes with listen TCP port set to 22. Not trying to make security by obscurity, if you change this default behavior, at least those script kiddies, who scan your port 22, and hammer you with the defaults logins, will be dropped, and your bandwidth will be spared. So head to /etc/ssh (the default directory, most distros) and edit your sshd_confing. On the line: “Port 22“, change this to something else, higher than 1024, because usually port scanners don’t go higher than this by default; for example, use port 2222. When connecting to you server, don’t forget to specify the port number (in the command line this goes by ssh -p 2222 hostname).

SSH protocol 2
In the present, there are 2 versions of SSH protocol. It’s better to go with the latest, since it’s far more secure. So, in the same file you made your port changes, the line which contains the word “Protocol“, put a lonely “2” (probably there is already one there, or 2,1) in front. Save your changes.

Disable root login
Normally for administration purposes, we use the super user (root), but it’s not safe to remote login with this user. If something gets compromised, the attacker will have full power to change anything in your system. So, force logins with other user than the root, and then when you are logged in, su to become root. Believe me, it’s safer this way. So in the same file, when it says “PermitRootLogin“, put a “no” in front. Thats it!

Allow only some users to login
Ok, you now have disabled root login, but any user account on your system will be authorized to remote login. This brings a lot of issues, because more users, means more distributed logins, more chances to security issues (imagine one of your users being kidnapped by a alien, you never know). So authorize one user (you), and if needed, other users, but only if needed. I hope you never left sshd_config, because now we have to search for the line “AllowUsers”. If this line doesn’t exist, add it, in the “#Authentication” part of the file, and specify the users you want to allow login. Example: “AllowUsers user1 user2“. Easy right? Let’s continue.

Password logins
By default, you authenticate in your remote host, by using a combination of user/password. Passwords, by it’s nature are unsafe, so why use them? Next we will set up a digital key authentication, so disable passwords for now. In the same configuration file, change “PasswordAuthentication yes” to “PasswordAuthentication no”. And we are done regarding passwords.

Private/Public key authentication (using DSA)
In the past I explained this (link to previous post). You can use a combination of private/public key to authenticate yourself in a remote host, so use this. Go through that post, and set everything up. Its just a matter of following the steps: (1)ssh-keygen -t dsa; (2)cat ~/.ssh/id_dsa.pub (3)put the output of step (2) in remote ~/.ssh/authorized_keys (chmodded to 600). After making this, edit the lines inside sshd_config, “RSAAuthentication yes”, “PubkeyAuthentication yes” and “AuthorizedKeysFile %h/.ssh/authorized_keys”. And your done here.

Firewall Rule
Would it be great if your firewall detected if someone was knocking on your firewall door? Well, you can use a fully blown intrusion detection system, like Snort (link to snort), but by using simple rules in iptables, we can accomplish some security on the number of times someone tries to login. If you don’t know what iptables are, ignore this step, else, add this rules to your firewall (run this in the CLI or add it to your firewall scripts):

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –set –name SSH

iptables -A INPUT -i ${WAN} -p tcp –dport 2222 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

The ${WAN} part of the rule, is the network interface you use to connect to your ssh server. I normally export LAN and WAN in a bash script, so I always know what is going where. In the future we will discuss firewall/iptables in detail, for those who do not know about the subject.This simple 2 rules will limit to 8, the number of ssh logins your host will permit in a minute. Thats a huge improvement (only 8 against unlimited attempts).And thats it! This were the steps I made to improve security on my remote host. Combined with a good firewall script, you will get a very tight system, believe me! There are other stuff you can make, like using TCP wrappers, but in my case, I login from a changing IP addres, and this method is not very useful if your IP address changes a lot.Oh, one last thing you can do! If all this methods fail, and someone is able to login using ssh to your server, edit again the /etc/ssh/sshd_config, and in the line “Banner” add in front put “/etc/sshbanner.txt“. Now edit (create) the file /etc/sshbanner.txt and put this inside (copy/paste):

————————————————————————————————————–
WARNING! THIS IS A PRIVATE SSH SERVICE, NOT TO BE USED BY A STRANGER. IF YOU HAVE GAINED ILLICIT ACCESS ON THIS SYSTEM, A CURSE WILL BE SET UPON YOU, AND YOU WILL HAVE A SERIOUS RASH ON YOUR PRIVATE PARTS, AND SUFFER IN AGONIE! YOU HAVE BEEN WARNED!
—————————————————————————————————————

Now, each time a user logs in, he will see this message. If it’s a unwanted user, he will be so scared, that he will log off immediately! =)

Please post back comments, on more things we can use to improve security on our servers!

PS: Don’t forget, when all changes are made, to restart your ssh server (ex: /etc/init.d/ssh restart).