Google Site SearchFN Site Search FN Blog Login FN Blog Login
Site Navigation:

Simple steps for a more secure the SSH Daemon

by Richard Flude on 19 Nov, 2004

Here are some simple steps to make your Secure SHell (SSH) daemon more secure.

SSH allows users to securely login to remote Fedora (or other Unix-style) servers over a network. All communication between the user and the server is encrypted, including passwords.

Opening any port to a network, and particularly to the internet, presents an additional security risk. The steps below should help lower the risk of a malicious user accessing your system, however there is no guarantee. Carefully assess for yourself whether the risk of using SSH is warranted in your situation.

Fedora uses the popular OpenSSH tool. OpenSSH is primarily developed by The OpenBSD Project and is some of the most reviewed and audited code in any Linux distribution.

6 simple steps to a more secure SSH daemon

1. Ensure OpenSSH is up-to-date

# yum update openssh*

You'll either get "Could not find update match..." if no updates are available, or follow the prompts to update if they are available.

2. Keep OpenSSH up-to-date

At the very least subscribe to the fedora-announce-list where announcements regarding updates are made.

It will be big news if a vulnerability is found in OpenSSH given its importance in the Unix world. For the same reason we must move quickly to close any vulnerability discovered.

3. Monitor the SSH logs

In FC SSH places its log information in /var/log/secure by default.

Of particular interest is sshd[xxxx]: Accepted password entries and sshd[xxxx]: Failed password attempts against the AllowUsers list (see below). Are those really you?

4. Firewall the connection if possible

The default port for SSH is 22. If you have a known static IP you'll be connecting from (say from work to home) then restrict port 22 connection on the server to those originating from that IP address.

5. Set the following options in the /etc/ssh/sshd_config configuration file.

Protocol 2

Unless you require protocol 1, disable it. If you don't know whether you require it, you probably don't.

PermitRootLogin no

Over half of the intrusion attempts for SSH on my servers are lame password guesses for root, simply because they know the account exists. Better to login with your restricted account and use the sudo or su commands to elevate your permissions.

AllowUsers <theusername>

By default, login is allowed for all users. Unfortunately this will also apply to daemon accounts if incorrectly configured, and to the user who changed his password to 'hello'. Better to restrict access to trusted users like yourself.

For multiple usernames separate with spaces, or alternatively add the usernames to a group and use AllowGroups <thegroupname>.

Don't forget to restart the SSH server after changing the configuration files

# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

6. Use hard to guess passwords

Use a combination of lower and uppercase, symbols and numbers for your password. The more random the password and the larger the number of characters the more difficult it will be to guess.

Actually we could replace passwords completely with certificates, but I'll leave that for another time.