Securing ssh server

SSH means Secure Shell, and it’s a protocol designed to allow secure communications between different hosts using an encrypted connection. SSH servers allow users to log into remote hosts, run commands and operate network services, securely. In order to establish an SSH connection, you need two parts: the SSH client and the SSH server.

Configure SSHD

The settings file for OpenSSH on Ubuntu 16.04 is located at /etc/ssh/sshd_config. You will need to be root or use sudo to edit and control the SSH server.

You need to prevent remote logins from accounts with empty passwords for added security. Open your /etc/ssh/sshd_config file and update the following line:

One of the most dangerous security holes you can have in your system is to allow direct logging in to root through SSH. By doing so, any hackers attempting brute force on your root password could hypothetically access your system; and if you think about it, root can do a lot more damage on a machine than a standard user can do.

To disable your Root Logins, you’ll need to edit the SSHD configuration file. All your SSH server settings are stored in the /etc/ssh/sshd_config file. Open that file while logging on as root and find the section in the file containing #PermitRootLogin in it.To disable logging in through SSH as root, change the line to this:

PermitEmptyPasswords no
PermitRootLogin no
Port 222

StrictModes forces the SSH server to check a user’s permissions in their home dir and rhosts files before accepting login.

LoginGraceTime
defines how long the SSH server will wait until disconnecting if the user hasn’t successfully logged in.

Idle sessions can be dangerous. It is a good idea to log people out after a set amount of inactivity. The ClientAliveInterval is the amount of time in seconds before the server will send an alive message to the client after no data has been received. ClientAliveCountMax is the number of times it will check before disconnecting. In the example below, the server will check on the client after 5 minutes of inactivity. It will do this twice then disconnect.
If we have SSH keys working we can just disable all password authentication. 

StrictModes yes
LoginGraceTime 120
PasswordAuthentication no

Use ssh keys

By default you log into the system through SSH with a username and a password. These can be brute forced. People will try an enormous amount of username and password combinations until they find one works. So, instead of using passwords we should use SSH keys.

If you already have a key pair, skip ahead.

Run the following command to generate your keys on the client machine. Do not run this command sudo. It will ask you for a passphrase to protect the key. You can keep this blank but I do not recommend that. A private SSH key with no passphrase protection can be used by anyone with possession of that key to access the server.

ssh-keygen

Use ssh-copy-id to send you public key to the peer  you want connect to.

ssh-copy-id [email protected]

Now try logging in. You may be asked for your passphrase.

ssh [email protected]

You should get a message back that looks similar too:

The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is ff:fd:d5:f9:66:fe:73:84:e1:56:cf:d6:ff:ff.
Are you sure you want to continue connecting (yes/no)?

Say yes and you should be logged in without a password.

Protect SSH Using third party software like Fail2Ban or sshguard

In addition to sshd hardering is possible to install third party application to monitor ssh connection attempts and block brute force attacks.
Fails2Ban is the most famous and is easy to find installation tutorials online.

SSHGuard is very useful monitoring tool for preventing brute force attacks. SSHGuard reads log messages from standard input and determines malicious activities. If an attack is detected, the attacking IP address is immediately blocked in the firewall.
SHSGuard can also protect many services out of the box like:

  • SSH
  • Sendmail
  • Exim
  • dovecot
  • Cucipop
  • UWimap (imap, pop)
  • ftpd (vsftp, proftpd, pure-ftpd, FreeBSD ftpd)

SHGuard is distributed under the permissive BSD license: you can use, modify and redistribute the software, at your own risk, for any use, including commercial.

Run the following commands in Terminal to install SSHGuard:
On Ubuntu and Debian Systems:

sudo apt-get install SSHGuard

On CentOS and RHEL Systems:

wget http://sourceforge.net/projects/flexbox/files/flexbox-release-1-1.noarch.rpm
yum repolist && yum install SSHGuard

To Configure SSHGuard with Iptables or Netfilter, create a new chain for SSHGuard in IPtables to insert blocking rules.

iptables -N SSHGuard #for ipv4
ip6tables -N SSHGuard #for ipv6

Now update the INPUT chain to also pass the traffic to the SSHGuard chain at the very end of its processing. Specify in –dport all the ports of services your SSHGuard protects.
Please note that if you want to prevent attackers from doing any traffic to the host, remove the option completely:

# block any traffic from abusers
iptables -A INPUT -j SSHGuard
ip6tables -A INPUT -j SSHGuard
#or block abusers only for SSH, FTP, POP, IMAP services (use “multiport” module)
iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j SSHGuard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j SSHGuard


Spread the word. Share this post!

Leave Comment

Your email address will not be published. Required fields are marked *