OpenSSH Server Best Security Practices

OpenSSH server is the standard SSH client and server. OpenSSH is suggested for remote login, transfer file by means of SCP or SFTP, and a much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two systems and networks. OpenSSH encrypts all traffic and password to effectively eliminate with assaults. In other words, we can say that “OpenSSH secure that the connection”.

OpenSSH Server

See Also:
1. How to Configure a Chroot Jail for SSH Access in Linux
2. How To Configure SSH Key-Based Authentication on a Linux Server
3. Difference between Telnet and SSH in Linux
4. SSH Interview Questions and Answers
5. Allow/Deny logins via ssh server using PAM module
6. Block SSH Server Attacks Using DenyHosts in CentOS/RHEL 5/6/7
7. How to Enable SSH Login Email Alerts Notification

This article provides few tips to configure your SSH server securely.

OpenSSH Security Files and SSH Port

/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.
~/.ssh/ – Users ssh configuration directory.
~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
/etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
/etc/hosts.allow and /etc/hosts.deny – Access controls lists that should be enforced by tcp-wrappers are defined here.
SSH default port – TCP 22

1: Only Use SSH Protocol 2

SSH has two protocol versions, the old protocol 1 which is insecure and the new protocol 2. SSH version is obsolete and should be avoided at all cost.

Protocol 2

2: Limit Users and Group SSH Access

You can configure SSH to permit only certain users or group to log in. By default, all users and group can login using their password or public key. In any case, for Secure SSH server, we should say exactly which Users or group can connect SSH Server. I am using this tool provides another layer of security.

Allow user’s and group’s through SSHD configuration file:

AllowUsers root dennis
AllowGroups sshgroup

Also Deny user’s and group’s through SSHD configuration file:

 class="pretty">
DenyUsers kapil suresh
DenyGroups sshgroup

3: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Sets a timeout interval in seconds after which if no data has been received from the client.

ClientAliveInterval 300
ClientAliveCountMax 0

4: Disable .rhosts Files

Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. Update the SSHD configuration file.

IgnoreRhosts yes

5: Disable Host-Based Authentication

This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. The default is “no”.

HostbasedAuthentication no

6: Disable root Login via SSH

There is no need to allow login directly as root. First normal users access the server and then use su or sudo to access with root. To disable root login update below entry in SSHD configuration file.

PermitRootLogin no

7: Enable a Warning Banner

The contents of the specified file are sent to the remote user before authentication is allowed. Also its important to set a warning banner.

Banner /etc/techoism.txt

Sample Content:

####################################################################################################################
#                                           Welcome to Techoism Server                                             # 
#                                   All connections are monitored and recorded                                     #
#                             Disconnect IMMEDIATELY if you are not an authorized user!                            #
####################################################################################################################

8: Limit SSH Access by IP Address via IPtables

You need to firewall ssh port # 22 by updating IPtables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

First block all the SSH connection.

# iptables -I INPUT -p tcp -m tcp --dport 22 -j REJECT

Now enable specific SSH connection.

# iptables -A INPUT 1 -p udp -s 192.168.15.0/24 --dport 22 -j ACCEPT
# iptables -A INPUT 1 -p udp -s 172.16.5.0/24 --dport 22 -j ACCEPT

9: Change SSH Port

By default SSH listen port 22. We nee to change the SSH port no to secure the connection.

Port 3527

10: Limit IP Binding

If that port is not indicated, sshd listen on the address. By default, it listens to all the address. We can define multiple addresses also.

ListenAddress 10.230.5.6
ListenAddress 10.200.5.6

11: Use Public Key Based Authentication

Rather than using a normal password-based login, a better way is using public key authentication. Keys are viewed as substantially more secure Disable PasswordAuthentication to force users to use the key.

PubkeyAuthentication yes
PasswordAuthentication no

12: Use Keychain Based Authentication

OpenSSH offers RSA and DSA verification to remote systems without providing a password. keychain is a unique bash script designed to make key-based authentication. It offers different security benefits over passphrase keys.

See how to setup and use keychain software.

13: SSHD Chroot Jail

By default, users can access all the server directories like /etc, /bin, /sbin and so on. Now you can protect you ssh using chroot jail. This service is released in the latest version of OpenSSH, so no need to use any third party to block the user’s access.

Click here to configure the Chroot Jail for you user.

14: Disable Empty Passwords

When you want to secure the connection with password authentication, then you need to update the SSHD configuration file to specifies whether the server allows login to accounts with empty password strings. The default is “no”.

PermitEmptyPasswords no

15: Use Log Analyzer

Gives the verbosity level that is used when logging messages from SSHD. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO.

LogLevel INFO

I hope this article will help you to secure your server.

Enjoy it!

No Responses

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.