“It is not Unix’s job to keep you from shooting yourself in the foot. If you should choose to do so, it is Unix’s job to deliver Mr. Bullet to Mr. Foot in the most efficient way it knows.” — Terry Lambert.
If you have Linux/Unix hosts, it is likely that you are mostly connected to your server via SSH to manage your Linux hosting, perform daily tasks or software installation.
Read details in a report by Forrester.
SSH – An Introduction:
SSH stands for Secure Shell, a cryptographic network protocol used for connecting to Linux/Unix servers remotely via a command line interface. The default port on which SSH service works is 22 (which is configurable) to exchange data between the remote users and the server. The SSH program was developed to improve the security of applications which were used earlier like telnet or rsh.
The following events occur when two parties connect via SSH:
A request to establish a connection is made, so that the client can verify his communication with the correct server.
The connection between the client and the server is encrypted on the transport layer.
The server checks the information provided by the client for authentication.
Once the encrypted connection is established, the client and the server are now ready to exchange information.
Security measures necessary to safeguard SSH service:
Here are some security measures which can be useful in securing the SSH service in Linux:
Configure the SSH port:
The default port is 22, as stated above. If an attacker attempts to request access on the given port, he is already one step ahead. Now he only has to do hit and trial for the password. If we configure the SSH port to be other than 22, we can secure it against possible attacks.
Run the command below to change the default port in the SSH configuration file:
#sed -i ‘s/#Port [0-9]*/Port 1337/’ /etc/ssh/sshd_config
It will change any Port xxx, where xxx is – any number to Port 1337. To verify, run the below command:
#cat /etc/ssh/sshd_config | grep Port
Now that you’ve changed the port, add the port in the firewall, so that the SSH service listens on port 1337. Run the below commands to achieve that:
#iptables -A INPUT -i eth0 -p tcp –dport 1337 -j ACCEPT
#service iptables save
#service iptables restart
Disable root login:
Disable root login! How are we supposed to login to our server?
Default user or the user through which we login to the server is the root and this gives an attacker an edge to access the complete system. He already knows the username. He only has to work on the password. We will create a user in our server- a user which will be used only for SSH login.
Run the command below to create a user:
Set the user password to something complex:
Changing password for user 1345345.
Retype new password:
passwd: all authentication tokens updated successfully.
We will now change our SSH configuration to disable the root login.
#sed -i ‘s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config
Once the root login has been disabled, we will now allow the users we created earlier.
#echo “AllowUsers 1345345” >> /etc/ssh/sshd_config
Finally, to allow the user to run su – command after logging in to the server, add the user to the wheel group to make things easier to manage.
#usermod -aG wheel 1345345
Now after making all the required changes, restart the SSH service with below command:
#service sshd restart
or if you are using Centos 7/ Red Hat Enterprise Linux 7, use this to restart:
#systemctl restart sshd.service
Allow access from specific IP addresses:
If you have a static IP address, such as your corporate network, you are suggested to allow SSH from that IP only. To do that, run the commands below, where the public IP address is as per your network:
#echo “sshd : 192.168.1.1 : ALLOW” >> /etc/hosts.allow
#echo “sshd : 192.168.1.2 : ALLOW” >> /etc/hosts.allow
#echo “sshd : ALL : DENY” >> /etc/hosts.allow
Patch against known exploits:
Check your bash version to be updated and patched against the commonly known exploits like shell shock and zero day.
# bash –version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
Physical Access/User Security:
Make sure your machines are well protected against viruses and are not for public use, if you use Windows to access SSH. Change passwords regularly and store them at a secure location.
SSH encryption using public-private keys:
We can also implement key based authentication on the server. We will discuss key based authentication in our next blog as it itself is a topic to be discussed in detail.
SSH key needs to be stored on a computer, and this can be a vulnerability. You have to protect your private key with a passphrase; otherwise, if your laptop is in wrong hands, it can result in an account compromise. On the other hand, a password can be stored in your brain only, which makes it less likely to leak theoretically.
Arguably, it can be said that SSH keys are secure as compared to passwords, but the opposite can also be true. So, it all depends on the context.
To learn more about SSH security, Click here.
If you have trouble finding the right managed server, look no further. Here at ZNetLive, we provide managed VPS and dedicated servers. And yes, we will help you secure your server with multiple aspects of security.
Read details in a report by Forrester.
Services ZNetLive offer:
You are free to contribute, comment or create issues, post them in comments and I will revert.
Muddassir Nazir is a computer science engineer and programming enthusiast, a foodie and a Green Day fan. He loves to fix things and makes them work through experimenting. He loves working/tweaking/playing with Linux. Across multiple Linux distros out there, Ubuntu and CentOS are his favorites.