SSH Hardening
SSH Hardening
Default Config Files and SSH Port:
■ /etc/ssh/sshd_config - OpenSSH server configuration file.
■ /etc/ssh/ssh_config - OpenSSH client configuration file.
■ ~/.ssh/ - Users ssh configuration directory.
■ ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
■ /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
■ SSH default port : TCP 22
1.) Only Use SSH Protocol 2 (All Linux Operating Systems)
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
2.) Disable root Login via SSH (All Linux Operating Systems)
There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
3.) Enable a Warning Banner (CentOS and RHEL Only)
Set a warning banner by updating sshd_config with the following line:
Sample /etc/issue file:
4.) Disable Empty Passwords (All Linux Operating Systems)
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
5.) Disable .rhosts Files (All Linux Operating Systems)
Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
Remember to restart your SSH Server after making changes :)
■ /etc/ssh/sshd_config - OpenSSH server configuration file.
■ /etc/ssh/ssh_config - OpenSSH client configuration file.
■ ~/.ssh/ - Users ssh configuration directory.
■ ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
■ /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
■ SSH default port : TCP 22
1.) Only Use SSH Protocol 2 (All Linux Operating Systems)
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:
Code: Select all
Protocol 2There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
Code: Select all
PermitRootLogin noSet a warning banner by updating sshd_config with the following line:
Code: Select all
Banner /etc/issueCode: Select all
--------------------------------------------------------------------------------------------------------------
You are accessing a Private Server that is provided for authorized use only.
All system actions are being logged. So please follow our system policy
--------------------------------------------------------------------------------------------------------------
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
Code: Select all
PermitEmptyPasswords noDon't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
Code: Select all
IgnoreRhosts yesRemember to restart your SSH Server after making changes :)
-
Ghillie-up
- Posts: 22
- Joined: Fri Jun 20, 2014 8:35 am
Re: SSH Hardening
IPtables? Single source address / range.
Alternative ssh port? Stop brute force bots hammering you.
Alternative ssh port? Stop brute force bots hammering you.