Securing your SSH server !

SSH is the most powerful tool with which you can access your server. As Uncle Ben says in Spiderman —

Remember, with great power, comes great responsibility.

If your service is not hardened, it can be exploited to a level directly proportional to the power of SSH. Let us now consider some of the ways in which you can secure/harden your SSH server.

–> Use  key based authentication instead of passwords. There are a lot of botnets trying brute force attacks against your SSH server. Using a password authentication system at the first place, gives them more opportunities. If you use password authentication system, it would mean any machine can connect to your server, if they are aware/have successfully brute forced the password. On the other hand, if you use public/private key based authentication system, not every machine around the world can get in access. Only the ones for which the private/public key pairs match can get-in. And brute-forcing such a system is currently impossible.

To set up key-based authentication, follow the steps given below :

ClientMachine # ssh-keygen

Generate a passphrase-protected SSH key 

ssh-keygen

 

Once this is complete, the private key gets stored to /root/.ssh/id_rsa and public key to /root/.ssh/id_rsa.pub.

Now you need to copy paste the contents of /root/.ssh/id_rsa.pub to your server or transfer this to your server. You can transfer this using :

# ssh-copy-id SERVERIP ( will prompt for root password as well )

or copy paste the contents of /root/.ssh/id_rsa.pub ( from ClientMachine) to the file /root/.ssh/authorized_keys found in the server.

Once this is complete, open your SSH configuration file ( /etc/ssh/sshd_config ) and give-in the below line and restart the service :

PasswordAuthentication no ( If its already commented, uncomment and make sure the argument passed is ‘no’

Now you can SSH from your ClientMachine without passing any passwords ( you might have to type your passphrase if it was given )

–> For a server with user’s around the world having to SSH in and the machines which they use are subject to changes, key based authentication can become a real headache.

Even when we are using Password based authentication, we can make it more secure. Disabling root login can be a big plus-point. Most of the brute force attacks are carried out with the username as ‘root’ in perpective. We can change that root user to be able to login, allow a system user and then sudo in to get the root privilages.

$  First create a system user for this purpose ( Ingnore this step if you already have one user in mind )

# adduser newusername
# passwd newusername

$ Now, we want to edit the sudo rights and grant administrative privilages to this user.

# visudo or # vi /etc/sudoers

Add the username which we just created, below the space

## Allow root to run any commands anywhere
root ALL=(ALL) ALL

root-etcsudo

 

After adding, it would look like :

newusername

 

Now save and close this file. Go to your ssh configuration file and give the setting :

PermitRootLogin no

This will make sure, root login is disabled and you can SSH as the newusercreated, then sudo in to get as root

newuser

 

–> You can also consider about changing the custom SSH port from 22 to any other.

–> If you have multiple IP’s, you can think about binding SSH server to just one IP.

^ These 2 options can be found from /etc/ssh/sshd_config file

portsip

–> If you have a defined networking environment, you can provide the range of IPs which can access the SSH service and deny all others. This can be done using TCP_Wrapper. Using the files /etc/hosts.deny and /etc/hosts.allow

=====================

/etc/hosts.deny
sshd:  ALL

/etc/hosts.allow
sshd: Trusted IPs/subnet

=====================

So, try these methods out !