Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Advanced SSH security tips and tricks
Share
Print
CommentsThe SSH server configuration file is located in /etc/ssh/sshd_conf. You need to restart the SSH service after every change you make to that file in order for changes to take effect.
Change SSH listening port
By default, SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It's wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don't scan high ports.
Open the /etc/ssh/sshd_config file and look for the line that says:
Port 22
Change the port number and restart the SSH service:
/etc/init.d/ssh restart
Allow only SSH protocol 2
There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure; SSH protocol 1 is subject to security issues including man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and look for the line that says:
Protocol 2,1
Change the line so it says only protocol 2.
Allow only specific users to log in via SSH
You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:
PermitRootLogin yes
Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.
It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it's in the wheel group, so that you can switch to superuser.
If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let's say I want to allow users anze, dasa, and kimy to log in via SSH. At the end of sshd_config file I would add a line like this:
AllowUsers anze dasa kimy
Create a custom SSH banner
If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:
*****************************************************************
*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *
*****************************************************************
When done editing, save the file. In the sshd_conf file, find a line that says:
#Banner /etc/issue.net
Uncomment the line and change the path to your custom SSH banner text file.
Using DSA public key authentication
Instead of using login names and passwords for SSH authentication, you can use DSA public keys for authentication. Note that you can have both login names and DSA public key authentication enabled at the same time. Having a DSA public keys authentication enabled makes your system bulletproof against dictionary attacks, because you don't need a login name and password to log in into SSH service. Instead, you need a pair of DSA keys -- one public and one private. You keep the private key on your machine and copy the public key to the server. When you want to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don't match, you are disconnected.
In this example the private machine (from which I will connect to the server) is station1 and the server machine is server1. On both machines I have the same home folder; this won't work if the home folders are different on client and server machine. First you need to create a pair of keys on your private machine with the command ~$ ssh-keygen -t dsa. You'll be prompted for a pass-phrase for your private key, but you can leave it blank because this is not a recommended method. A key pair is generated: your private key is located in ~/.ssh/id_dsa and your public key is located in .ssh/id_dsa.pub.
Next, copy the contents of ~/.ssh/id_dsa.pub to server1 into the ~/.ssh/authorized_keys file. The content of ~/.ssh/id_dsa.pub file should look something like this:
~$ cat .ssh/id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAM7K7vkK5C90RsvOhiHDUROvYbNgr7YEqtrdfFCUVwMWcJYDusNG
AIC0oZkBWLnmDu+y6ZOjNPOTtPnpEX0kRoH79maX8NZbBD4aUV91lbG7z604ZTdrLZVSFhCI/Fm4yROH
Ge0FO7FV4lGCUIlqa55+QP9Vvco7qyBdIpDuNV0LAAAAFQC/9ILjqII7nM7aKxIBPDrQwKNyPQAAAIEA
q+OJC8+OYIOeXcW8qcB6LDIBXJV0UT0rrUtFVo1BN39cAWz5puFe7eplmr6t7Ljl7JdkfEA5De0k3WDs
9/rD1tJ6UfqSRc2qPzbn0p0j89LPIjdMMSISQqaKO4m2fO2VJcgCWvsghIoD0AMRC7ngIe6btaNIhBbq
ri10RGL5gh4AAACAJj1/rV7iktOYuVyqV3BAz3JHoaf+H/dUDtX+wuTuJpl+tfDf61rbWOqrARuHFRF0
Tu/Rx4oOZzadLQovafqrDnU/No0Zge+WVXdd4ol1YmUlRkqp8vc20ws5mLVP34fST1amc0YNeBp28EQi
0xPEFUD0IXzZtXtHVLziA1/NuzY= anze@station1.example.com
If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on server1. The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:
~$ chmod 600 ~/.ssh/authorized_keys
Now, configure the sshd_conf file to use the DSA keys authentication. Make sure you have the following three lines uncommented:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Restart the service. If you configured everything correctly, you should now be able to SSH to your server and fall directly into your home folder without any interaction.
If you would like to use DSA authentication only, make sure you uncomment and change the PasswordAuthentication line in sshd_config from yes to no:
PasswordAuthentication no
If anyone tries to connect to your SSH service and doesn't have a public key on the server, he will be rejected without even seeing the login prompt with this error:
Permission denied (publickey).
Using TCP wrappers to allow only specific hosts to connect
This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don't want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper. I will make a rule to allow only hosts on my local subnet 192.168.1.0/24 and remote host 193.180.177.13 to connect to my SSH service.
By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. I'll create a rule like this in /etc/hosts.deny:
sshd: ALL
This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.
Next, create a rule in /etc/hosts.allow to allow only specific hosts (as defined earlier) to use the SSH service:
sshd: 192.168.1 193.180.177.13
Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:
ssh_exchange_identification: Connection closed by remote host
Using iptables to allow only specific hosts to connect
An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here's a simple example of how you can allow only a specific host to connect to your SSH service:
~# iptables -A INPUT -p tcp -m state --state NEW --source 193.180.177.13 --dport 22 -j ACCEPT
And make sure no one else has access to SSH service:
~# iptables -A INPUT -p tcp --dport 22 -j DROP
Save your new rules and you're all done.
SSH time-lock tricks
You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.
In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
Conclusion
These features are not hard to configure, but they are very powerful techniques for securing your SSH service. It's a small price to pay for a good night's sleep.
Comments
on Advanced SSH security tips and tricksNote: Comments are owned by the poster. We are not responsible for their content.
What about the 'tricks'? Haven't seen any. Does anyone actually check the articles before they're published? If you wan't to write an article on advanced features of SSH write about using it with kerberos or keys on smartcards, and when you're refering to 'tricks' write about something that cannot be found on every second article about SSH or in the manual page itself.
Regards,
I strongly disagree on the root login. You shouldn't allow remote root logins at all.
If you don't have physical access to the hardware completely barring root access can be a problem, having key-only root access in case of emergency, and only in case of emergency, is justified... Just don't use the key for everyday's use, set a passphrase on the key and keep it in a secured place...
If scanner does not see it cracker does not know there is a ssh service. So how can cracker attack it if its not there in there eyes.
nmap can be ordered to scan all ports and can attempt to id service by response. So hiding high is not that effective.
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
The only difference between two sets of iptable commands is source ip address filtering.
So for the second set of filters the behviour should be the same as for the first one for connenctions comming from specified ip address
Now there's a 'trick' for you. Top of the list.
Soooo bloody original, I can't believe it.
New security architecture: Houses with no front door. Entrance on side. Burglars totally fooled.
Rightttttttt!
The rest of the article is as useless as the first bit.
Perhaps there could be some kind of QA filter? Maybe run this kind of crap past the people who actually wrote ssh/sshd.
But what the hell would they know?
If nothing else, it keeps these annoying monsters out of my logs.
So this will at least keep a lot of script kiddies out. People who are really determined will eventually find the port, but those who are really determined will give you a lot more than ssh to worry about.
This maybe a stupid newbie question, but if the attacker gets the low level user's password, isn't that all he needs to use sudo and do what he wants with root access? Please correct me if I'm wrong...
In this case you would be better to allow the remote login into an unprivileged user account which cannot use sudo. If the user needs to run system commands they can su into another account using that account's password before being able to issue root commands with sudo and using the same account password.
Best is a trap shell. Where you have to ssh on with some strange name for ssh. Then you need to know a user in the wheel group and where the internal ip link is. Yet at this point no tools to assist finding way out.
Wrong action in trap shell get loged out and ip blocked for so long.
Still making door disappear with port knocking is still a good idea. If cannot find door not a problem. Moving port does not hide door.
Still making door disappear with port knocking is still a good idea. If cannot find door not a problem. Moving port does not hide door.
No, but neither does port knocking. It can be brute forced the same way a weak password can, but worse, it can be sniffed (it's just like telnet: sending the password out in plaintext).
If you want to stop an attack, disable password login and crank up the public key length.
port knocking gets rid of most script kiddies. Even basic port knocking.
Depends defense depends on the type of port knocking. If its single packet encoded knock sniffing it does not help. Encoded in the packet has a Time, ID, port on target where encode packet was sent and IP of source all encrypted. Resending packet will not help attacker. Also encoded knocks can be sent to any port on the machine that is not open and still work. So port is selected basically by random generator across the complete port range other than selected do not use ports.
It can even be a wall knock. Its a variation on Encoded. You allocate like 100 or so ports for knocking. Each encoded packet is numbered as well as other required information. Then each packet is sent to random generated port to appear to be a rotating port. If someone trys a normal port knock brute force they only lock themself out. After login get a new set of random patterns. Getting past that is not exactly fun.
If I could work out how to limit users logins effectively based on encrypted knock it becomes a double door to beat. Need to know both the user and the knock that matches.
Yes, but single packet authentication is _not_ port knocking.
Single packet authentication or encrypted port knocking or encoded port knocking. Its still just a variation of port knocking. Note Single packet authentication is a strong form. Still is the same class of tech.
OpenSSH can do this all by itself, with more granularity, thanks to the recent "Match" directive.
For instance, here's how we achieve the same things you described on the article :
Match Address 192.168.1.*, 193.180.177.13
AllowUsers anze dasa kimy
By the way, some more options have security impact. Consider doing :
AddressFamily inet
AllowTcpForwarding no
MaxAuthTries 3
To restrict to IPv4 (and reject IPv6), deny tcp forwarding, and circumvent
brute force attacks.
Also, if you don't use PAM, consider using UsePrivilegeSeparation.
Both used as one is the best option. So that a flaw in sshd is not exposed to everyone.
SSH is not a public service on my PC. I'm the only one I want to access it. From this follows that there is no value to leaving it on the standard port. (I can remember the port it listens on.)
There *is* a small value to reducing the number of alerts in my logs.
The better hackers probably are using bots that do the scanning 24/7 and then return a list of potential targets to them. If I can keep myself off that list, then that's good.
--
Michael Shigorin
None of this is advanced, and none of this hasn't been published before. Come on... how many times do we have to hear the same thing (that's common sense, for crying out loud).
No one should be using protocol 1 unless they absolutely have to. No one should be using passwords with the root account (turn it off or use without-password which is great for rsync over ssh to do privileged backups). This article doesn't even go into the ~/.ssh/authorized_keys file and how you can use the command directive to restrict actions!
If you want something "advanced", check out <a href="http://linsec.ca/Optimizing_OpenSSH" title="linsec.ca">linsec.ca</a linsec.ca>'s ssh article. It's a little old, and could use some updating for things like the new Match directive and stuff, but it's far more advanced than this drivel.
If I was linux.com, I'd be embarrassed to put this one up.
However, it was called "Advanced SSH security tips and tricks."
What most every poster so far has been under the impression is that this being Linux.com, a publisher of usually not so crappy articles, posting "Advanced SSH security tips and tricks" would produce some sort of useful - new information.
While I don't think the grandparent post's wording was as nice as it could have been, I certainly agree.
If you lie to the FOSS community in any way, in this case by mislabeling the article, you will face retaliation in some form.
Hope that clears things up.
this is standard - for advance use try pam_tally
Posted by: Anonymous Coward on April 02, 2007 04:12 PM<a href="http://www.administrator.de/Kurzanleitung_(HowTo)_zur_Konfiguration_des_Linux_PAM_Moduls_pam_tally_am_Beispiel_des_SSH_Daemons.html" title="administrator.de">http://www.administrator.de/Kurzanleitung_(HowTo)<nobr>_<wbr></nobr> zur_Konfiguration_des_Linux_PAM_Moduls_pam_tally_<nobr>a<wbr></nobr> m_Beispiel_des_SSH_Daemons.html</a administrator.de>
<a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html" title="kernel.org">http://www.kernel.org/pub/linux/libs/pam/Linux-PA<nobr>M<wbr></nobr> -html/sag-pam_tally.html</a kernel.org>
<a href="http://ejohansson.se/articles/system-administration/rdiff-backup/" title="ejohansson.se">http://ejohansson.se/articles/system-administrati<nobr>o<wbr></nobr> n/rdiff-backup/</a ejohansson.se>
This example is for allowing root running a backup on a workstation to safely login to a backup server.
Here's what counts from the article:
* Pubkey authentication only (disable other authentication).
* Disable protocol 1.
* Disallow root login.
* Enable firewall rules that allow only subnets that need access. Deny everything else.
You should not permit root logins via SSH, because this is a big and unnecessary security risk.
Why ? How is it a risk ? The SSHv2 protocol is believed to be impervious to snooping, and if you already allow only key-based authentication, then you are as close as you can get to a system where credentials cannot brute-forced. What does disallowing root login give you above that ?
Don't tell me that people should not login as root as a matter of policy. If a user can use su, or sudo -s, or sudo su, then that user is effectively root, and locking the root account in SSH does not help a single bit in this regard.
If your key is compromised (stolen laptop is just one example) potential damage is limited. If you take the suggestion in TFA, and use your key to log into an account which can only be used to su, then your compromised key can cause remarkably little damage, and you can change your key at the next opportunity instead of crapping your pants.
doc
And, personally, I would not trust a system which have had a sensitive account compromised anymore than one that had the root account compromised.
- hacker would have to break a non-root account first
- then try to break root password
- only certain users are usually allowed to su to root and so, the hacker has more work to do.
So, there IS more security with disabling root access via SSH eventhough SU is allowed for some users. Arguemtns about how much more secure it is, are irrelevant. Questioning policies regarding root access that were placed to increase the security even by the slightest amount is also irrelevant as long as the additional security is more than zero.
Of course it is convenient for me to log into my own system remotely with direct root access, but not every deployment is the same. When I have to remote login to some customer network for troubleshooting, I ask them by phone
- enable ssh for a specific period of time for just one user (which changes all the time)
- enable su to root for that account
SSH user-access is disabled after the maintenance window. Sometimes the customer completely shuts down the SSH port.
There was another poster about IPtables vs SSH. IPtables works at the kernel level. SSH works at process level. If your system can discard packets at the kernel, that is what it must do. Discarding packets at process level is the same, but it is just unnecessary overhead.
make it so that you're not under constant attack.
The only thing which really saves you from being hacked is strong passwords and a secure protocol.
I opened up port 22 and my logs filled with junk, but I never felt that those script kiddies were any closer to getting in.
The problem is that I like to read<nobr> <wbr></nobr>/var/log/secure
The module called "recent", on the other hand, stores the source IP, so someone else can't (without a lot more sophisticated spoofing) DOS a legitimate user. Plus using "seconds" places an upper limit on how long you must be "quiet" in order to regain access, regardless of how much you hammered it earlier.
"-j REJECT --reject-with tcp-reset" not "-j DROP"
Posted by: Anonymous Coward on May 06, 2007 02:16 AMIf you want the second connection to truly fail, use:
iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j REJECT --reject-with tcp-reset
- "RSAAuthentication yes" is not needed for a Protocol 2 only server, since it's a Protocol 1 setting.
- Firewalling your SSHd like in the mentioned iptables settings will open a huge hole for DOS attacks.
how to give permission only for a specific Mack or Hardware adress
Posted by: Anonymous [ip: 59.162.2.139] on August 24, 2007 01:13 PMHow to give permission to that user access the server by ssh. How to setup the Mack or Hardware address of ethernet card of that user's computer.
Regards,
Navij
Advanced SSH security tips and tricks
Posted by: Anonymous [ip: 222.253.81.54] on October 04, 2007 05:34 AMAdvanced SSH security tips and tricks
Posted by: Anonymous [ip: 222.253.81.54] on October 04, 2007 05:40 AMnpkinh
How many SSH/SFTP sessions created at the same time?
Posted by: Anonymous [ip: 222.253.81.53] on October 04, 2007 05:43 AMnpkinh
Root
Posted by: Anonymous Coward on March 30, 2007 06:07 PM#