Wiki

User Tools

Site Tools

Trace:
ssh:configure_sshd

This is an old revision of the document!

Table of Contents

SSH - Configure sshd

Backup the existing configuration file

First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:“ 

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults

Edit the sshd config file

Issue the following command: 

sudo vi /etc/ssh/sshd_config

Restrict SSH to version 2

…add in this line if not already in the sshd configuration file, otherwise modify it to be: 

Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost.

Restrict SSH Key Size to 2048 or above

…add in this line if not already in the sshd configuration file, otherwise modify it to be: 

ServerKeyBits 2048

This defines the number of bits in the ephemeral protocol version 1 server key.

NOTE: The file /etc/ssh/moduli file contains a list of all keys supported.

A recommendation is to remove the smaller groups from the /etc/ssh/moduli file on the server.

When the client asks for a Diffie-Hellman group, sshd searches the moduli file for groups and picks one at random from the set at least as large as what the client requested. If there are no small (eg 1k, 1.5k) keys, then sshd will always use larger ones.

Dont listen to all addresses

Change the following line in the sshd config file from: 

ListenAddress 0.0.0.0

to 

ListenAddress 192.168.1.2

Allowing connections from only certain IP addresses makes a system a lot more secure.

Disable SSH root login

Change the following line in the sshd config file from: 

PermitRootLogin yes

to 

PermitRootLogin no

By default, the SSH daemon ships with remote root logins enabled. Normally Ubuntu does not allow direct access to the root user, so this setting is unimportant. If you have set a password on the root account, this setting can be a potential security risk, and should be disabled. It is safer to login as another user and use sudo.

NOTE: Sometimes it is necessary to allow root logins when doing automated tasks such as backups. To disallow normal logins but allow forced commands, you can use: 

PermitRootLogin forced-commands-only

Disable empty passwords when using SSH

…add in this line if not already in the /etc/ssh/sshd_config file, otherwise modify it to be: 

PermitEmptyPasswords no

You need to explicitly disallow remote login from accounts with empty passwords.

Log more information about SSH connections

Change the following line in the /etc/ssh/sshd_config file from: 

LogLevel INFO

to 

LogLevel VERBOSE

By default, the OpenSSH server logs to the AUTH facility of syslog, at the INFO level. To record more information - such as failed login attempts - increase the logging level to VERBOSE.

Now all the details of ssh login attempts will be saved in your /var/log/auth.log file.

If you have started using a different port, or if you think your server is well-enough hidden not to need much security, you should increase your logging level and examine your /var/log/auth.log file every so often. If you find a significant number of spurious login attempts, then your computer is under attack and you need more security.

Whatever security precautions you've taken, you might want to set the logging level to VERBOSE for a week, and see how much spurious traffic you get. It can be a sobering experience to see just how much your computer gets attacked.

It's recommended to log more information if you're curious about malicious SSH traffic.

Configure the SSH Idle Log Out Timeout Interval

…add the following lines to the sshd config file: 

ClientAliveInterval 900
ClientAliveCountMax 1

You are setting an idle timeout interval in seconds (900 secs = 15 minutes). After this interval has passed, the idle user will be automatically logged out.

PCI-DSS requires that there be a maximum of 1 concurrent SSH session per user.

Disable SSH support for .rhost files

…add in this line if not already in the sshd configuration file, otherwise modify it to be: 

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command. Therefore disable access via rsh. To ensure that SSH does not read the user's ~/.rhosts and ~/.shosts files.

It's recommended to disable rsh access.

Disable IPV6 access to SSH (Optional)

…add in this line if not already in the sshd configuration file, otherwise modify it to be: 

AddressFamily inet

Specifically limit traffic to IPv4. This will limit attack vectors.

The options that can be used for this line are:

  • inet = IPv4
  • inet6 = IPv6
  • any = both

It's recommended to limit the system to IPV4 if IPV6 is not used on the system.

Enable the SSH welcome banner

Change the following line in the sshd config file from: 

#Banner /etc/issue.net

to 

Banner /etc/issue.net

Now, edit /etc/issue.net and place a warning to unauthorized users. An example of what to include is shown here:

/etc/issue.net
***************************************************************************
NOTICE TO USERS
 
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
 
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
 
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the discretion
of such personnel or officials. Unauthorized or improper use of this
system may result in civil and criminal penalties and administrative
or disciplinary action, as appropriate. By continuing to use this system
you indicate your awareness of and consent to these terms and
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
 
****************************************************************************

Once this is in place, restart sshd and all users will see this warning before they get the login prompt.

The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server.

To enable login messages, remove the hash sign # from the Banner line.

For legal reasons, it can be useful to display a banner informing people about their legal rights with regards to your server.

This will obviously not dissuade automated SSH attacks, and will potentially worsen Denial-of-Service (DoS) effects, but it may tip off a human attacker that the system is being looked after closely, and that they should move on to some other system on the network.

Disable logins for the **root** user, only allow login for the core user and disable password based authentication.

permissions: 0600 owner: root:root

/etc/ssh/sshd_config
# Use most defaults for sshd configuration.
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp
 
PermitRootLogin no
AllowUsers core
PasswordAuthentication no
ChallengeResponseAuthentication no
ssh/configure_sshd.1480941034.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki