Tips for securing SSH

SSH is the preferred method for providing remote shell services such as command execution.   Designed as a replacement for the old-school insecure Telnet protocol SSH provides an encrypted secure connection between client and server.  Although, far more secure than its for-farther, there are some extra steps you can take to increase out-of-the-box setting to increase the level of security.

The following assumes a fresh installation of CentOS 6.  By default the SSH service is not enabled.  To enabled the service you need to start the service.  To do this run the following command as the root user within a terminal:

service sshd start

To configure the system to start the SSH service at start-up you can run the following:

chkconfig sshd on

The service will now accept connections from clients. The configuration of the service is controlled by the contents of a configuration file called ‘sshd_config’ located within the folder ‘/etc/sshd/’. Open this file using the editor of your choice.

Changing the default port

The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers. SSH is officially allocated port 22. One disadvantage is it allows script kiddies to scan IP address checking whether port 22 is open. Generally, on finding an open port their script starts performing a brute force password attack – basically guessing your username and password based on a dictionary of common credentials. Crude! One way to reduce this eventuality is to modify SSH’s configuration to specify an alternate port. To do this location the “Port” setting e.g.

Changing the port of the SSH service

Uncomment the line and alter the default port e.g.

Changing-SSH-default-port-centos

Once saved restart the service to activate the setting:

service sshd start

After this change one will have to re-configure one’s firewall rules to reflect the change of port. Although this tip will decrease the number of unwanted connections to your server any skilled hacker will easily find that you have modified the default port; thus, further actions is required to scupper them further!

Deny root logins

The default settings within CentOS are configured such that the root account is allowed to on log on via a remote SSH. This is rather worrying; thus, I recommend direct root sessions are not permitted. This is achieved by modifying the following setting:

Deny root logins

To modify the setting uncomment the line including the “PermitRootLogin” parameter and alter the associated value to “No”. Again, restart the service to activate the setting:

service sshd start

Making the hackers wait

At some point if your SSH service is accessible over the Internet it is likely that it will be subjected to a brute-force attack. In this scenario hackers can take 6 guesses at your password before the session is closed.

They can then re-connect and try again and again and again. Therefore, it is wise to reduce the number of consecutive attempts and extend the time a client can re-connect to the service. The more extreme you are with these settings the more you slow down an attack! The setting of interest is:

MaxStartups
LoginGraceTime
NumberOfPasswordPrompts

MaxStartups

This setting is described in the manual as the random early drop. It can be enabled by specifying the three colon separated values ‘start:rate:full’ (e.g., “10:30:60”). sshd will refuse connection attempts with a probability of ‘rate/100’ (30%) if there are currently ‘start’ (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches ‘full’ (60). A little cryptic but worth visiting.

LoginGraceTime

Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes. It is too much too long hold open an unauthenticated connection attempt; 20 seconds is more than enough time to log in.

NumberOfPasswordPrompts

Specifies the number of password prompts before giving up. The argument to this keyword must be an number. The default is 6. Reduce as one feels fit.

The topic could go one and one. There are a lot ways to secure SSH and further reading is suggested.

Advertisements

2 thoughts on “Tips for securing SSH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s