Harden SSH Server
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet. You can use it for shell access (remote command line access), secure file transfer (sftp), as well as a wrapper/tunnel for other protocols. Once you understand how SSH works, you will find that it is usually the only public daemon/server that you need on a computer to access it securely. OpenSSH is a free version of the SSH connectivity tools. The server and client packages are openssh-server and openssh-client respectively.
Specify who can log in through SSH
By default, any user (eccept the passwordless root user) can log in with a simple password. Fortunately this can be easily restricted using the OpenSSH server configuration file. Just edit the /etc/ssh/sshd_config (as root) file and add the desired directives shown below. You don’t need them all, just use what suits you needs.
OpenSSH provides different ways of presenting restrictions:
AllowUsers, AllowGroups, DenyUsers, DenyGroups
Only users frank, dean, and sammy will be able to log in via ssh.
AllowUsers frank dean sammy
Only users who are part of the group ratpack or artists will be able to log in via ssh.
AllowGroups ratpack artists
This is the opposite of AllowUsers. All users except for dolly and conway will be able to log in via ssh.
DenyUsers dolly conway
This is the opposite of AllowGroups. All groups except for nashville and bubblegum will be able to log in via ssh.
DenyGroups nashville bubblegum
Public Key Authentication
By default installing the openssh-server will ask for simply a username and password, which can sometimes be easy to guess. SSH password is not the most secure way to connect. Therefore, forcing public key authentication is the best way to do this.
On client, generate a key and copy the key to ssh server. Be sure to replace the words server and user with the IP of the server and username respectively. It is simpler if the username is the same on both the client and the server as you do not need to enter it every time.
ssh-keygen # Follow prompts to set a passphrase for the key scp .ssh/id_rsa.pub user@server:/home/user/.ssh/authorized_keys
On the server run:
sudo gedit /etc/ssh/sshd_config
Change the following line from:
#PasswordAuthentication yes
to:
PasswordAuthentication no
Restart SSH server using this command:
sudo /etc/init.d/ssh restart
Keeping tabs on who logs in through SSH
The following command will allow you to check who has logged into the SSH server:
grep sshd /var/log/auth.log
#Add to ssh hardening: #StrictHostChecking yes (client must have server key and vice versa before connecting) #Use non-standard port out of nmap standard scan #Turn off ICMP replies #Turn off ID message "Debian_OpenSSG_Ver.x.xx" #Limit IP Ranges to networks you use (Local ISPs/Known points of connection) #Fail2ban (block and report repeated failures) #Request user key and password (+ any number of questions - like a quiz) for server auth (?)