Secure Shell
The Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a client–server architecture, connecting an SSH client instance with an SSH server. Wikipedia
With advancements in the technology world, hackers are becoming more sophisticated every day. Even your SSH connection is not secure if you are using the traditional or default installation settings. Therefore, it has become necessary to secure your SSH server from unwanted data breaches and malicious attacks by taking some crucial precautions.
In this article, we will introduce you to some important security practices which will help you in considerably increasing the level of SSH server security.
Use Strong Passwords and Apply Password Policy
First thing first, we mush use complex password for ssh logins. Password should contain Upper case, lower case, numbers and special characters. Also we must consider length of the password. It should be at least 8 characters. Another main thing is change the password every month. Will user follow this? We can enable all of these using password policy.
Enable Password Policy
In Red Hat Enterprise Linux 7 and 8 default configuration file for password complexity is /etc/security/pwquality.conf.
Set these parameters in this file.
- Minimum length of the password
- Minimum number of uppercase characters
- Minimum number of lowercase characters
- Minimum number of other characters
Disable Empty Passwords
Linux allows users to create empty passwords and allowing empty password login to the server will expose your server to vulnerable cyber attacks. So make sure you disable empty passwords.
Open the "/etc/ssh/sshd_config" file. Find PermitEmptyPasswords and and set it to no.
vi /etc/ssh/sshd_configPermitEmptyPasswords nosystemctl restart sshd
Avoid Using Port 22
Port 22 is a default port for SSH connections and every hacker trying to access your SSH server will first attack this port. Therefore changing the port will add an extra security layer to your SSH Connection and it will prevent automated attacks on the SSH server. Changing the port will also keep you off from hacking radars. But still hackers can run a port scan on attack server and identify the ssh port. So, best option is allow ssh access for known source IPs. You can apply IP table rules to address this.
Change SSH Port
Open the ssh configuration file under "/etc/ssh/sshd_config" and put the port number you want.
vi /etc/ssh/sshd_configPort 3322systemctl restart sshd
IPTABLE Rules
iptables -I INPUT -p TCP -s 192.168.20.100/32 --dport 3322 -j ACCEPT
iptables -A INPUT -p TCP --dport 3322 -j DROP
Disable the Root Logins
vi /etc/ssh/sshd_configPermitRootLogin nosystemctl restart sshd
Maintain SSH Allow List
vi /etc/ssh/sshd_configAllowUsers vidurangasystemctl restart sshd
Set an Idle Timeout Value
If there is an established SSH connection to your computer, and there has been no activity on it for a period of time, it could pose a security risk. There is a chance that the user has left their desk and is busy elsewhere. Anyone else who passes by their desk can sit down and start using their computer and, via SSH, your computer.
vi /etc/ssh/sshd_configClientAliveInterval 60systemctl restart sshd
Set a Limit For Password Attempts
Defining a limit on the number of authentication attempts can help thwart password guessing and brute-force attacks. After the designated number of authentication requests, the user will be disconnected from the SSH server. By default, there is no limit. But that is quickly remedied.
You can address this by editing "/etc/ssh/sshd_config". Set MaxAuthTries 3.
vi /etc/ssh/sshd_configMaxAuthTries 3systemctl restart sshd
Only Use SSH Protocol 2
SSH has two protocols that it can use. Protocol 1 is older and is less secure. Protocol 2 is what you should be using to harden your security. If you are looking for your server to become PCI compliant, then you must disable protocol 1.
Open your "/etc/ssh/sshd_config" file and set Protocol 2.
vi /etc/ssh/sshd_configProtocol 2
systemctl restart sshd
Set Login Grace Time
The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational limits to ensure the service is available for needed access.
vi /etc/ssh/sshd_configLoginGraceTime 60
systemctl restart sshd
Disable GSS API Authentication
GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
To disable this you have to edit "/etc/ssh/sshd_config" and set GSSAPIAuthentication to no.
vi /etc/ssh/sshd_configGSSAPIAuthentication no
systemctl restart sshd
Disable Weak Key Exchange and Weak Encryption Algorithm
Explicitly set key exchange and encryption algorithm in "/etc/ssh/sshd_config". One you set, you must restart ssh service.
vi /etc/ssh/sshd_config
No comments:
Post a Comment