This will be the first of two posts in the server hardening Series where we will discuss the Secure Shell (SSH) service. I will cover the options available to us for hardening SSH. SSH is a cryptographic network protocol used for remote management over an insecure (or less secure) communication channel. Whether this is a web server, an appliance or a firewall, out on the internet or in your local subnet. For example most remote Linux based servers have SSH enabled in order for administrators to remotely manage them rather than being directly in front of the server/appliance with a monitor at the console. According to arstechnica (2015) Microsoft is also to introduce native support for SSH in 2015 – so watch this space.
There are a number of hardening techniques that we can undertake to further secure the SSH service from an out of the box typical install. These include:
- Disabling SSH Protocol 1 and using Protocol 2. (Part 1)
- Limit the the users who can login. (Part 1)
- Disable root login and use a standard user account. (Part 1)
- Run SSH on a different port to 22. (Part 1)
- Use Public Private keys for Authentication. (Part 2)
- Filter SSH with iptables (demonstrated in one of my previous posts here) (Part 2)
- Setting strong cryptographic algorithms (Part 2)
I will be demonstrating these tasks on Ubtuntu 14.04. however the options and configurations will be very similar across the different Linux distributions.
Disabling SSH Protocol 1 and using Protocol 2
Disabling SSH Protocol 1 is done in the following file ‘/etc/ssh/sshd_config’, so using your favorite text editor nano, vi, leafpad etc (mines nano) open up the ‘sshd_config’ file and find the protocol line and ensure it has a the ‘2’ parameter next to it like the below:
# Protocol 1 Protocol 2
Limit the the users who can login
Locate the authentication section again in the file ‘/etc/ssh/sshd_config’, and add in the line ‘AllowUsers Adam Mark’ and any other usernames as needed. This should be used in conjunction with disabling the root login. This will only let ‘Adam’ and ‘Mark’ login for example.
AllowUsers Adam Mark
Disable root login and use a standard user account
Locate the authentication section and specifically the ‘PermitRootLogin yes’ and either comment the line out with a # and add a new line in or change the parameter to ‘no’.
# Authentication: LoginGraceTime 120 # PermitRootLogin yes PermintRootLogin no
Run SSH on a different port to 22
This can clearly be achieved in a number of different ways depending on how your infrastructure is configured. For example you could change the port on your SSH Service in the sshd_config file or adjust port forwarding/translation rules on your firewall or router. The main goal of this exercise is to obfuscate the SSH service to a potential attacker, we must be clear here this doesn’t protect the port in any way however does distract from the fact port 22 is not open for business. I say again this will not protect you against an attacker with enough intent, an attacker with enough experience will have scanned all 65k ports and verified all services on all open ports. Never the less if somebody has only scanned the top 1k ports its still an option, but should not be relied upon. I’m not going to get into the debate of ‘security by obscurity’ in this post. From the following file ‘/etc/ssh/sshd_config’, locate the ‘port 22’ line and change the number parameter to the unused port of your choice
# I have changed the default SSH port from 22 to 3333 Port 3333
I have added a comment in the line above as a reminder here to allow the next person to see what I have done for any troubleshooting purpose. You never know when you will move on and the next person needs to administer the box, this is useful to them. 😉
In most cases the SSH service will need to be restarted in order for the changes to take effect. From a terminal: (I always add a ‘-v’, optional for verbose)
Service ssh restart -v
As always I would suggest you try these out first in a test environment making one change at a time before changing your corporate machines.