SSH configuration and security best practices
Any good systems administrator will agree that changing SSH configuration to add additional security is a good thing. However, novice sysadmins are nervous about implementing changes. In this article I share a list of configurations that can be used to tighten and enhance SSH security on a UNIX or Linux based system.
- Restrict the root account to console access only:
# vi /etc/ssh/sshd_config PermitRootLogin no
- Create private-public key pairs using a strong passphrase and password protection for the private key (Use a higher bit rate for the encryption for more security, for example 4096):
% ssh-keygen -t rsa -b 4096
- Configure TCP wrappers to allow only selective remote hosts and deny undesirable hosts:
# vi /etc/hosts.deny ALL: 192.168.100.101 # ip address of mrbadguy
- On
workstations
orlaptops
, disable the SSH server by turning off the SSH service, and then removing the ssh server package, for example:# chkconfig sshd off # yum erase openssh-server
# update-rc.d -f ssh remove # apt remove openssh-server
- Restrict SSH access by controlling user access:
# vi /etc/ssh/sshd_config AllowUsers mc84838 martinch mchurchi DenyUsers janedoe johndoe mrbadguy
- Force SSH to nly use SSH Protocol 2:
# vi /etc/ssh/sshd_config Protocol 2
- Don't allow Idle sessions, and configure the Idle Log Out Timeout interval (for example set to 600 seconds = 10 minutes):
# vi /etc/ssh/sshd_config ClientAliveInterval 600 ClientAliveCountMax 0
- Disable host-based authentication:
# vi /etc/ssh/sshd_config HostbasedAuthentication no
- Disable user .rhosts files:
# vi /etc/ssh/sshd_config IgnoreRhosts yes
- Restrict the available interfaces that SSH will listen on and bind to:
# vi /etc/ssh/sshd_config ListenAddress 192.168.100.200 ListenAddress 10.1.1.10
- Confine SFTP users to their own home directories by using chroot SSHD:
# vi /etc/ssh/sshd_config ChrootDirectory /secure/home/%u X11Forwarding no AllowTcpForwarding no
- Disable empty passwords:
# vi /etc/ssh/sshd_config PermitEmptyPasswords no
- Configure an increase in SSH logging verbosity:
# vi /etc/ssh/sshd_config LogLevel DEBUG
- Use a log analyzer such as
logcheck
,splunk
, orlogwatch
to create logging reports. - Always keep the SSH packages and required libraries up to date on patches, for example:
# yum update openssh-server openssh openssh-clients -y
# apt update openssh-server openssh-client -y
- SSH supports numerous, diverse methods and techniques for authentication that you can enable or disable. Within the /etc/ssh/sshd_config file, you make these configurations changes by entering the keyword listed for the authentication method followed by yes or no. Here are some of the common configuration changes:
#RSAAuthentication yes #PubkeyAuthentication yes #RhostsRSAAuthentication no #HostbasedAuthentication no #RhostsRSAAuthentication and HostbasedAuthentication PasswordAuthentication yes ChallengeResponseAuthentication no #KerberosAuthentication no GSSAPIAuthentication yes
- The keywords
AllowedAuthentications
andRequiredAuthentications
within the sshd_config file dictate which authentication methods and configurations are used with SSH Protocol 2 only, and the syntax for them to allow password and public key authentication is as follows:# vi /etc/ssh/sshd_config AllowedAuthentications publickey, password RequiredAuthentications publickey, password