How to Secure SSH Connection on Linux
Why We Should Mitigate SSH Based Attack
SSH (Secure Shell) is a most popular remote protocol. SSH allows remote login and execute commands. That providing secure way to login and run commands on remote systems in unsecured networks. Telnet replace with SSH cause of offering more security. But SSH has some weaknesses, in order to reducing SSH based attack, those weaknesses can be mitigated. There is some hardening tips, the tips turn your SSH server into a rock solid communication daemon.
Best SSH Hardening Tips
In the next minutes, we’ll review 15 solutions from best SSH hardening tips. Each hardening tip will a shield against SSH based attacks. Most of the tips are SSH configurations, some of those tips are different on Linux distributions, so please check the configurations on your distribution documents as well. Also Windows 10 and Windows 2019 have OpenSSH server by adding Win32-OpenSSH to Windows, so read Microsoft documents as well.
You must restart SSH server daemon after applying configurations.
1. Custom SSH Port
SSH server listening on port 22 by default, so attackers trying to attack your server on port 22. Changing SSH port to another port is a solution to reduce attacks. In order to change SSH port on Linux, you should edit main SSH config file:
vi /etc/ssh/sshd_config
Search “port” and then change it with another one. Make sure that there is no other service on the new port, otherwise SSH will stop working.
2. TCP Wrappers
Make an access list from hosts which should have access to SSH server. Put the list in to the below configuration file:
/etc/hosts.allow
Here is an example, change the below IP address with your trusted client and put it with the below pattern in to the above file:
sshd : 192.168.1.1
3. Filter SSH Connection on Firewall
Just open SSH port for trusted clients, this can be done by OS firewall or third-party firewall on OS. But it’s recommended to have multi-layer filtering. In most Linux distributions, you be able to filter SSH connection via iptables. Here an example:
iptables -A INPUT -p tcp -s 192.168.1.1 -m tcp –dport 999 -j ACCEPT
Replace IP address and port number with your trusted client IP address and SSH server port.
You can do it via “ConfigServer Security & Firewall (csf)“:
https://www.configserver.com/cp/csf.html
4. Disable Root Login
Root user is a default administrator user on most Linux distributions, Root user can do anything. So disabling Root login via SSH is good idea, because when root is allowed to logon, attackers can do thousand try and find root’s password. When you didn’t disable root login, you can check the below file and find huge number of attacks:
/var/log/secure
Find the below configuration in “/etc/ssh/sshd_config” and change the value to “no“:
PermitRootLogin no
Instead of disabling root login, you can allow specific users to login or allow specific users from specific IP addresses. Again, you can add some configuration to SSH server’s configuration file:
AllowUsers [email protected] [email protected]
In the above example, Dave and Root can logon to SSH server only from 192.168.1.1 .
5. Idle Timeout Interval
You must control opened SSH sessions, because all attackers are not outside of your organization. If there is opened SSH session and session is idle, it should be closed after period of time.
In order to configure timeout interval,
ClientAliveInterval 240
6. Disable Empty Passwords
On Linux and Unix, the system allows administrators to create users with empty passwords.
And this can be a pretty bad thing if you want to keep attackers out of your SSH servers.
That’s why the best thing you can do is to disable remote logins for accounts with an empty password, this can be easily done by editing the sshd_config file.
PermitEmptyPasswords no
7. Block SSH Brute Force Attacks Automatically
The manual way is by parsing system logs and check who is trying to connect to the server, and then block it using the system firewall. However, there are several tools that can do those manual tasks for you in an efficient and automated way.
8. Disable X11 Forwarding
If you are running a remote server, having X11 (graphics server) forwarding capabilities doesn’t have too much sense, as you will always stay stick to your black and white remote terminal.
In order to disable X11 forwarding, follow this steps:
nano -w /etc/ssh/sshd_config
Look for this variable:
X11Forwarding yes
Change it to be:
X11Forwarding no
Disabling the X11 protocol will help you to prevent a few types of attacks, as it was never built with security in mind, and it can be used by malicious attackers to open up a channel to the client and send remote commands that may end up really bad.
9. Limit Max Authentication Attempts
Another good way to protect against brute force attacks is to set a low limit for the times an attacker can try to login with a failed password. MaxAuthTries variable can help you to mitigate this kind of attacks.
nano -w /etc/ssh/sshd_config
Search for MaxAuthTries.
Set it to 3, as you see below:
MaxAuthTries 3
9. Configure Login Notification
In order to keep a history of logons to system via SSH, you can configure login notification via e-mail.
9. Keep SSH Updated
Always, update OpenSSH on Linux systems to preventing attacks cause of known security issues.
See Also
[Review]: Windows Admin Center (Project Honolulu)