SSH security and configuration(SSH Server Hardening)

SSH security and configuration(SSH Server Hardening)

What is the first thing in your mind when you have to enter the home, there is a door and you have to open it. In the computer world, if you want to access a machine that has Linux or Unix OS you have to go through SSH.

 

What is SSH: – SSH (Secure Shell) is a cryptographic network protocol which was designed to afford the greatest protection when access another host to manage and execute commands.it provides secure encrypted communication between hosts over the secure channel.

How SSH Works Simple Diagram in Figure-1.

Figure : – 1

 

Follow the below stapes as per your need to secure SSH server.

Note: – You need sudo access to do any changes in the ssh config file.be careful while editing in production server.

1. Strong Usernames and Passwords

If organization have an ssh server running and need to log in with username and password rather than key based, make sure to put strong username and password, it will help to fight against an attack. Many organization rotate password every 30 or 90 Days, communicate and educate user to not share or write password anywhere.

2. Configure Idle Timeout Interval

You can set an idle timeout interval, to avoid having an unattended SSH session.

$sudo vim /etc/ssh/sshd_config

add the following line –

ClientAliveInterval 360

ClientAliveCountMax 3

Note: – Interval is in second, Once the interval has passed the idle user automatically logged out.

3. Disable Empty Passwords

Disable empty password login from the remote.

$sudo vim /etc/ssh/sshd_config

PermitEmptyPasswords no

4. Disable Root Logins

In Linux system administrator is the root user, any hacker attempting brute force to root password and if they stole the password then no one can save your server. Disable SSH root user can save the world.

$sudo vim /etc/ssh/sshd_config

PermitRootLogin no

Now you are safe from brute force root login, if you then need to access root, simply log in as a normal user and use the su command.

5. Only Use SSH Protocol Version 2

SSH has two protocols 1 and 2, protocol 1 is old and less secure, use protocol version 2 for better security.in current days most Linux system by default use Protocol version 2, its good practice to verify before live the server.

To enable SSH protocol 2 follow the steps below.

  • Open /etc/ssh/sshd_config file (You will require sudo access for this)
$sudo vim /etc/ssh/sshd_config
  • Search for “Protocol”  by typing  – /Protocol
  • Remove 1 from the last and enter 2 .it should be look like

Note You will require restart ssh service to apply any config changes :

verify ssh config file before the restart

 $ sudo sshd -T
 $ sudo service sshd restart

 

We will keep updating in next post…

 

Leave a Reply

Your email address will not be published. Required fields are marked *