Howto's, experiences and more

OpenSSH is the default means of accessing a unix based server nowadays, and so it should be, because OpenSSH is safe, fast and stable.

However, as always, the weak end of a secure system is always at the user end. Therefore we are going to need to tighten up OpenSSH even more than it already is, which is quite easy to do.

First thing you need to look at is if you are using an up to date version of OpenSSH. At the time of this writing, version 5.3 is the most recent one so when reading this post, it needs to be at least that.

To determine the version, type $ ssh -V

It will produce some output with a version number, most likely with added information about the distribution of linux that you are using.

When you ensured that your version is up to date, it’s time to get to work and tighten the thing down :

Limit allowed users

Another thing you really want to do is limit the users that are allowed to connect to SSH. You can also do that in the sshd_config file :

$ sudo pico /etc/ssh/sshd_config

Scroll down until you find a line that starts with ‘AllowUsers’. If it isn’t in there, add it at the end and put only those users behind it that you want to allow SSH connectivity for.

AllowUsers yourself user2 user3

Save the file and restart SSH by issuing the restart command.

$ sudo /etc/init.d/ssh restart

The command there might vary a bit depending on your distribution.

This will diminish the chance for scriptkiddies to guess username/password combinations.

Turn off .rhosts usage

You really don’t need this as SSH can emulate the behaviour of the rsh command. rsh became obsolete anyway.

$ sudo pico /etc/ssh/sshd_config

Scroll down until you find the command IgnoreRhosts. If it isnt there, add it at the end :

IgnoreRhosts yes

Save and restart your SSH daemon.

Turn off host based authentication

Probably the worst idea someone can have is authenticate based on the IP adress that is connecting. If someone successfully spoofs that particular IP adress, you are in trouble as you lost your last line of defense.

$ sudo pico /etc/ssh/sshd_config

Scroll down until you find the line that says HostbasedAuthentication. If there isnt any, add it at the end :

HostbasedAuthentication no

Save and restart your SSH daemon.

Disable root login via SSH

Ok ok, this is 2010, SSH is secure, there is no way of sniffing the password out of your packets, but we have the su and sudo (recommended) command. Why not play it safe and deny root login anyway. With su and sudo at least it gets logged who does what with root privileges. So I am still all for denying root logins.

$ sudo pico /etc/ssh/sshd_config

Scroll down until you find the line that says PermitRootLogin. If there isn’t any, add it at the end :

PermitRootLogin no

Save and restart your SSH daemon.

Change the port SSH listens on

By default, SSH listens on port 22. So this is also the port that brute force scripts target, while you can save yourself some resource load by letting the SSH port listen somewhere else, like, 300 or 400.

Before you do this, make sure you opened up that port in your firewall configuration first or you will lose SSH functionality when you restart the daemon and then can not log in again on the other port because the firewall will deny you access.

$ sudo pico /etc/ssh/sshd_config.

Look for a line that starts with Port. Change it to :

Port 300

Save and restart the SSH daemon.

I know this list is by all means not complete, but I welcome any additions anyone is willing to make.

The current list however ought to be enough to be discouraging enough for most attackers.