Basic SSH Security

Thu, 26 Oct 2006 08:10:00 +0100
Comments: 0
Permalink
Posted In: Linux

Just a HOWTO to give you a basic insight into deterring SSH brute-force attempts.

Nothing is better than a firewall, I am simply just explaining a couple of things you can do to make SSH a tiny bit more secure, I will explain in a later post about detecting and then blocking SSH bruteforce attempts with BFD and APF but for now, just the basics.

This tutorial assumes basic linux knowledge.

Log into your box as root, at the shell type:

vi /etc/ssh/sshd_config

(assuming you have vi installed, if not use pico or your preferred editor)
/etc/ssh/sshd_config is the common place for the ssh config file although this could vary dependant on your distro, if in doubt use locate to find the sshd_config file on your system.

Assuming you are using vi press: /

this puts vi into search mode, then type: #Port 22

which should take you to a block of config file that looks like:

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Change The Listening Port
Start by uncommenting the #Port 22 line (by removing the hash in front of it you are uncommenting it) in vi you do this by pressing the I key to switch to INSERT mode (vi will display INSERT in the bottom left corner if you got it right) then use the delete key to remove the hash.

Next thing to do is to change the port number to something unusual (I would suggest 4 or 5 numbers in length)

Tread carefully with this as you dont want to use a port that another service runs on, a ports list is available HERE.

Deny SSH1 Connections
You should still be in INSERT mode in vi so scroll to the next line, uncomment it as per above and remove the , 1 part from the end, this prevents older ssh1 clients connecting.

Change the Binding Address
Next jump down to the ListenAddress line, uncomment it and change the 0.0.0.0 to one of the IP addresses you have been assigned by your service provider (I would try and keep this different from the address your dns for any domains you host resolves to if possible).

Deny Root Log in
Please ensure you have another user account on the server with shell access and that is part of the wheel group otherwise you will be locked out!

DO NOT CONTINUE UNLESS YOU HAVE A WHEEL GROUP USER

Its normally advisable to deny root logins from the shell, to do this press ESC on your keyboard to switch off INSERT mode in vi, then type: /#PermitRootLogin

the line it finds should look like: #PermitRootLogin yes

Press I to put vi back into insert mode, edit the line so that it looks like: PermitRootLogin no

With that option disabled you will have to log into your server as an unprivelidged user and use the su - command to change to root when you need elevated privelidges.

Restart SSH
Now all you need to do is restart sshd, I would suggest leaving your current SSH session open in case you messed up and cant log in again. To restart SSH on most distros type: /etc/init.d/ssh restart

Then try and log in to ssh via the IP address you set the bindaddress option to earlier, if it works you will have to log in as someone other than root.

Comments

No comments have been posted for this article

Add a Comment

HTML tags allowed in comments are: strong,em,ul,ol,li, URL's are automatically converted to links so no need to use <a>.

Your Name

Your Email Address (never shown)

Your URL

Your Comment

Please verify that you are human by entering the letters shown into the box below

 __   __     ___      _  __     ___      _____     _____   
 \ \\/ //   / _ \\   | |/ //   / _ \\   /  ___||  |  ___|| 
  \   //   / //\ \\  | ' //   | / \ || | // __    | ||__   
  / . \\  |  ___  || | . \\   | \_/ || | \\_\ ||  | ||__   
 /_//\_\\ |_||  |_|| |_|\_\\   \___//   \____//   |_____|| 
 `-`  --` `-`   `-`  `-` --`   `---`     `---`    `-----`

Main Menu

Site Search

Basic SSH Security

Comments

Add a Comment

Sub Navigation

Latest Tweets

Tag Cloud

Footer