With some of the previously illustrated code examples, many good systems administrators are nervous about some of the security implementations for SSH usage and functions. Although much has been said and written about the various approaches to SSH security and remote host security in general, here is a list of processes and configurations that you can use to tighten and enhance SSH security with regard to remote host access:
- Restrict the root account to console access only:
# vi /etc/ssh/sshd_config PermitRootLogin no |
- Create private-public key pairs using a strong passphrase and password protection for the private key (never generate a password-less key pair or a password-less passphrase key-less login):
(Use a higher bit rate for the encryption for more security) ssh-keygen -t rsa -b 4096 |
- Configure TCP wrappers to allow only selective remote hosts and deny undesirable hosts:
# vi /etc/hosts.deny ALL: 192.168.200.09 # IP Address of badguy |
- On workstations or laptops, disable the SSH server by turning off the SSH service, and then removing the ssh server package:
# chkconfig sshd off # yum erase openssh-server |
- Restrict SSH access by controlling user access:
# vi /etc/ssh/sshd_config AllowUsers fsmythe bnice swilson DenyUsers jhacker joebadguy jripper |
- Only use SSH Protocol 2:
# vi /etc/ssh/sshd_config Protocol 2 |
- Don't allow Idle sessions, and configure the Idle Log Out Timeout interval:
# vi /etc/ssh/sshd_config ClientAliveInterval 600 # (Set to 600 seconds = 10 minutes) ClientAliveCountMax 0 |
- Disable host-based authentication:
# vi /etc/ssh/sshd_config HostbasedAuthentication no |
- Disable users' .rhosts files:
# vi /etc/ssh/sshd_config IgnoreRhosts yes |
- Configure firewalls to accept SSH connections only from know network segments:
Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only from 192.168.100.0/24 and 209.64.100.5/27, enter: -A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT |
- Restrict the available interfaces that SSH will listen on and bind to:
# vi /etc/ssh/sshd_config ListenAddress 192.168.100.17 ListenAddress 209.64.100.15 |
- Set user policy to enforce strong passwords to protect against brute force, social engineering attempts, and dictionary attacks:
# < /dev/urandom tr -dc A-Za-z0-9_ | head -c8 oP0FNAUt[ |
- Confine SFTP users to their own home directories by using Chroot SSHD:
# vi /etc/ssh/sshd_config ChrootDirectory /data01/home/%u X11Forwarding no AllowTcpForwarding no |
- Disable empty passwords:
# vi /etc/ssh/sshd_config PermitEmptyPasswords no |
- Rate-limit the number of incoming port 2022 connections within a specified time:
Redhat iptables example (Update /etc/sysconfig/iptables): -A INPUT -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT |
- Configure iptables to allow only three connection attempts on port 2022 within 30 seconds:
Redhat iptables example (Update /etc/sysconfig/iptables): -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set -I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DR |
- Use a log analyzer such as logcheck, loggrep, splunk, or logwatch to better understand the logs and create logging reports. Also, increase logging verbosity within the SSH application itself:
Installation of the logwatch package on Redhat Linux # yum install logwatch |
- Configure an increase in SSH logging verbosity:
# vi /etc/ssh/sshd_config LogLevel DEBUG |
- Always keep the SSH packages and required libraries up to date on patches:
# yum update openssh-server openssh openssh-clients -y |
- Conceal the OpenSSH version, require SSH source code, and re-compile. Then, make the following updates:
# vi /etc/ssh/sshd_config VerifyReverseMapping yes # Turn on reverse name checking UsePrivilegeSeparation yes # Turn on privilege separation StrictModes yes # Prevent the use of insecure home directory # and key file permissions AllowTcpForwarding no # Turn off , if at all possible X11Forwarding no # Turn off , if at all possible PasswordAuthentication no # Specifies whether password authentication is # allowed. The default is yes. Users must have # another authentication method available . |
- Delete the rlogin and rsh binaries from the system, and replace them with a symlink to SSH:
# find /usr -name rsh /usr/bin/rsh # rm -f /usr/bin/rsh # ln -s /usr/bin/ssh /usr/bin/rsh |
SSH supports numerous, diverse methods and techniques for authentication that you can enable or disable. Within the /etc/ssh/sshd_config file, you make these configurations changes by entering the keyword listed for the authentication method followed by yes or no. Here are some of the common configuration changes:
# RSAAuthentication yes # PubkeyAuthentication yes # RhostsRSAAuthentication no # HostbasedAuthentication no # RhostsRSAAuthentication and HostbasedAuthentication PasswordAuthentication yes ChallengeResponseAuthentication no # KerberosAuthentication no GSSAPIAuthentication yes |
The keywords AllowedAuthentications and RequiredAuthentications within the sshd_config file dictate which authentication methods and configurations are used with SSH Protocol 2 only, and the syntax for them to allow password and public key authentication is as follows:
# vi /etc/ssh/sshd_config AllowedAuthentications publickey, password RequiredAuthentications publickey, password |
No comments:
Post a Comment