Hardening SSH Access

Take Me To Post Comment Form


Anyone who manages a server knows that managing it remotely is something that always poses some security threats. In most cases though it seems that using SSH they will be able to do this, but they’ll get to end up with defaults and this means there are risks in terms of security.

It’s something that needs to urgently be changed, because after all, no one wants to leave any doors open for hackers and various attacks that would compromise their server in any way. Even if some people would like to resort to using data center staff, they will have to pay a lot for these services and it’s certainly not something many can afford.

Generation and use of key pair authentication

Among the defaults is the ability of having logins protected using passwords, but this is certainly not a safe method. Passwords can easily be tracked by using special software like keyloggers and this would immediately compromise security. To ensure that such scenarios will never be the case, people should think about replacing password protected logins with private/public key pair logins.

The former is going to be carried by the individual all the time and it’s best if they don’t share it with anyone else. It’s been used to authenticate or 'match’ the public key stored on a remote computer the individual needs to gain access to.

However, it’s important to note that using keys only will not have a great impact on improving security, in the event third parties can have access to them. In this case, a third party will be granted access to someone’s server and it won’t even have to bother typing passwords. Inputting a username may also not be the case, because usernames can be guessed fairly easily and protecting them is not really a priority in general.

The truth is that still there are many individuals who are convinced that they can easily gain access to a computer remotely, by just using a SSH key pair and not having to be bothered by entering any passwords. It sound kind of lazy though and it’s the main reason to why passphrases should be used in order to protect these keys when they want to use a SSH connection to access their server. This method though should be perceived as a 2 factor authentication that can be used to access various web apps (example: http://pentagogy.blogspot.com/2012/10/google-authenticator-with-facebook.html). It’s also good to remember that nothing can be guaranteed on the internet and it’s hard to have a guaranteed 100 percent security over anything, but when a user fortifies his or her server and gets ready for any hacking attacks, they will surely save themselves from a lot of frustration and even from the danger of being fired.

To generate a good key pair, the command below can be used. “acoolpassword” can be substituted with any other pass code, but it needs to be at least comprised of four characters.

ssh-keygen -t rsa -b 4096 -N 'acoolpassword' -f openssh.key

Individuals should be aware that using a few other key types, like RSA, ECDSA and DSA is also possible and some of them are more secure/better performing than others. For this purpose, i’ll chose to go with the RSA. Limiting the number of key bits is advisable, because if they’re too long, performance will suffer.

In the working directory used, (openssh.key.pub and openssh.key) people will be able to see 2 key files. They are the public and the private keys.

Next, people will have to think about strengthening the key permissions, because it’s vital only a single user (original user) can access them and not others. In general, this aspect is going to be taken more in consideration in a multi user environment.

chmod go-rwx openssh.key*

When this will finally get out of the way, the new public key will be ready so that users can finally start to copy it on their server. It’s something that can be done in multiple ways, by either using SCP, FTP or other similar methods. In our example, the SSH’s identity copy will be used.

ssh-copy-id -i openssh.key.pub root@111.111.111.111

(change 111's to to your server IP)

Setting Restrictive Access Policy

When the enabling of the ssh key authentication is complete, it’s best if users will fully disable password authentication, because this way the server will only be possible to gain access to by using the keys.

To achieve this, fire up your text editor to edit a SSH server config file:

vim /etc/ssh/sshd_config

Look for 'PasswordAuthentication' and 'PermitEmptyPasswords' sections, (uncomment if needed) and change their values to 'no':

PasswordAuthentication noPermitEmptyPasswords no

Additionally, to tighten the configuration even more apply these settings to sshd config file same as above.

StrictModes yes

Before accepting the login, this option will specify whether ssh should check the permissions of the user in their rhosts files or home directory. It’s an option that users should always leave on “yes”, because there are cases when users may have their files left to be world writable.

LoginGraceTime 120

This is a command that will specify the amount of time in seconds the server will have to wait after a connection request, before the user will be disconnected if they didn’t log in.

PermitRootLogin no

This command specifies whether it’s possible for the root to log in by using ssh. It’s recommend that users will never say yes to this command.

Changing Default Ports

An important aspect regarding SSH is that it will always listen on its default port, 22 and it’s usually left this way because it actually feels convenient for the user to connect to it instead of entering other, less familiar one. The bad news about it is that it is very easily predictable and it can be used in order to further exploit the server’s setup.

To add another security layer though, users are advised to change this port to a non-standard, high port, say 20002. To be clear on this matter, the port can be find regardless of which one the user will go with, but if it’s changed from 22 to another, it will be a bit harder to find. In many cases, it seems that attackers who find it hard to detect server defaults will eventually leave the machine alone and go “play“ with another server which is less secure.

Conclusion

After the changes have been made and saved to the /etc/ssh/sshd_config configuration file, the next step would be to have the ssh service restarted. For those who are on Debian, they will need to use the command:

service ssh restart

Enjoy a bit secure server connection session.

This is just one of attack vectors closed, imagine what security world’s most popular institutions like Google use. Same goes for mission critical government data centres service providers which spend top dollar on securing their data and access for their clients.

Interesting read on data center security:http://www.informationweek.com/government/security/next-steps-in-data-center-security/240150897


Latest Activity: May 09, 2013 at 4:57 AM



Blog has been viewed (1606) times.


Log In to post comments.

Previous blog entries by pentago
 
Teens smoking less, but vaping more
April 28, 2015
Smoking has been on a steady decline in the west for a few years now. This due to a combination of factors such as people understanding the damaging effect smoking has on health and not being able to smoke indoors - but one major cause may simply be that smoking ...
Read More »
 
Tips for maintenance of rugs and stain removal
April 16, 2015
Making your home beautiful is one of the most important factors that a regular housewife tries to do. This includes the cleaning of the entire house and making everything look perfect. Cleaning rugs Of course, one of the essential pieces of the puzzle are rugs. Besides needing to look good, ...
Read More »
 
5 tips for new and emerging artists
March 25, 2015
Being a young and struggling artist is never easy. One needs to account various facts and take into consideration many conducts. Of course it really helps being passionate and talented, but those things will take you only a short way off. One will need to include some additional skills if ...
Read More »
 
Major Causes of Traffic Congestion
February 27, 2015
All big cities have one problem: traffic congestion caused by thousands of vehicles running through their streets each day. This affects every person who lives in the city. Slower speeds and increased queuing in the worst case scenarios lead to traffic jams, road rage, air pollution and reduced well-being. The ...
Read More »
 
How To Study More Efficiently by Scott Young
June 18, 2013
Video: https://www.youtube.com/watch?v=idjOspWeAPA Resources: http://www.scotthyoung.com/blog/mit-challenge/   Hey guys, welcome back to week 11 of my MIT challenge which is to learn MIT’s 4 years computer science curriculum in 4 months without taking classes or being enrolled in MIT. So today I wanted to share you some advice of the process that ...
Read More »
 
[View More Blogs...]



 
Powered by
Morris Technology