SSH is the preferred method for providing remote shell services such as command execution. Designed as a replacement for the old-school insecure Telnet protocol SSH provides an encrypted secure connection between client and server. Although, far more secure than its for-farther, there are some extra steps you can take to increase out-of-the-box setting to increase the level of security.
The following assumes a fresh installation of CentOS 6. By default the SSH service is not enabled. To enabled the service you need to start the service. To do this run the following command as the root user within a terminal:
service sshd start
To configure the system to start the SSH service at start-up you can run the following:
chkconfig sshd on
The service will now accept connections from clients. The configuration of the service is controlled by the contents of a configuration file called ‘sshd_config’ located within the folder ‘/etc/sshd/’. Open this file using the editor of your choice.
Changing the default port
The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers. SSH is officially allocated port 22. One disadvantage is it allows script kiddies to scan IP address checking whether port 22 is open. Generally, on finding an open port their script starts performing a brute force password attack – basically guessing your username and password based on a dictionary of common credentials. Crude! One way to reduce this eventuality is to modify SSH’s configuration to specify an alternate port. To do this location the “Port” setting e.g.
Uncomment the line and alter the default port e.g.
Once saved restart the service to activate the setting:
service sshd start
After this change one will have to re-configure one’s firewall rules to reflect the change of port. Although this tip will decrease the number of unwanted connections to your server any skilled hacker will easily find that you have modified the default port; thus, further actions is required to scupper them further!
Deny root logins
The default settings within CentOS are configured such that the root account is allowed to on log on via a remote SSH. This is rather worrying; thus, I recommend direct root sessions are not permitted. This is achieved by modifying the following setting:
To modify the setting uncomment the line including the “PermitRootLogin” parameter and alter the associated value to “No”. Again, restart the service to activate the setting:
service sshd start
Making the hackers wait
At some point if your SSH service is accessible over the Internet it is likely that it will be subjected to a brute-force attack. In this scenario hackers can take 6 guesses at your password before the session is closed.
They can then re-connect and try again and again and again. Therefore, it is wise to reduce the number of consecutive attempts and extend the time a client can re-connect to the service. The more extreme you are with these settings the more you slow down an attack! The setting of interest is:
This setting is described in the manual as the random early drop. It can be enabled by specifying the three colon separated values ‘start:rate:full’ (e.g., “10:30:60”). sshd will refuse connection attempts with a probability of ‘rate/100’ (30%) if there are currently ‘start’ (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches ‘full’ (60). A little cryptic but worth visiting.
Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes. It is too much too long hold open an unauthenticated connection attempt; 20 seconds is more than enough time to log in.
Specifies the number of password prompts before giving up. The argument to this keyword must be an number. The default is 6. Reduce as one feels fit.
The topic could go one and one. There are a lot ways to secure SSH and further reading is suggested.