Posted by ashwoods on Mon 30 Oct 2006 at 15:52
SSH is not only the secure replacement for rlogin, rsh and telnet, which has been used in the past to do remote administration work, but there are also neat tricks like port forwarding, vpn tunneling and file transfers that you can do with minimal configuration work, leaving only one port open to the internets.
If you keep your SSH server up to date and choose your passwords wisely, you can sleep well at night without worrying about all those script kiddies and bots scanning your ports and attacking your SSH server with brute force or dictionary attacks.
You will however see constant attacks in your logs like these:
Oct 20 16:03:51 server02 sshd: Illegal user ftpuser from ::ffff:220.127.116.11
Oct 20 16:03:52 server02 sshd: Illegal user ftpuser from ::ffff:18.104.22.168
Oct 20 16:03:53 server02 sshd: Illegal user ftpuser from ::ffff:22.214.171.124
Oct 20 16:03:54 server02 sshd: Illegal user ftpuser from ::ffff:126.96.36.199
Oct 20 16:03:56 server02 sshd: Illegal user ftpuser from ::ffff:188.8.131.52
This doesn't mean a hacker is trying to break in using some SSH exploit, these are normally automated attempts from zombie bots or script kiddies with dictionary attacks to break into your system, sometimes using virus infested machines to do the work. You can get hundreds of attempts every day, and this might make you feel a little bit uneasy.
Even if SSH is very secure out of the box, there are several things you can do to make it more secure and avoid all those emails logs full of bot attacks, without having to configure a full blown IDS system. The following tips apply to OpenSSH on a debian system, but should be very similar in other systems.
How you secure SSH will depend on your specific needs, so the first step is to consider your current use of SSH. Are you a roadwarrior and connecting to your servers from different computers or IP addresses, do all the users of the system really need SSH?
It is better to make the changes locally, as you might lock yourself out while reconfiguring your network.
Step 1 : Secure the default SSH configuration.
a) Don't allow root to remote login
It is safer to login as another user and use su.
b) Limit the users or groups that can login in remotely.
Unless you are a ISP you can normally limit the users that can login to a few. You can also limit your users to certain machines or hosts.
c) Allow only Protocol 2:
Protocol 1 is less secure and obsolete.
d) Use PubkeyAuthentication authentication instead of passwords:
Instead of using a password to login, a keypair is placed on the server and the client. The client can prompt for a paraphrase, but no password is sent over the network. If you connect from several computers, you have to have the key on each one or carry it around in a USB stick. Howto configure.
e) Change the default port 22 to something higher
I consider this security by obscurity. This makes it only one step "harder" for a determined hacker (all he has to do is scan your ports), but it does help with most automated bot attacks, most scripts check only for port 22 because scanning ports is time consuming. This trick alone will empty most of your logs of attack junk.
f) don't listen on all addresses if posible:
Step 2: Re-configure your firewall - block those connections in the first place
There are several ways of doing this. The easiest way is to limit connections to certain IP's or subnets. This may not be practical if you are constantly on the road and need SSH access, more complex set ups like port knocking are also possible.
a) configure your firewall to allow only certain IP's (or subnets) if posible.
b) install some nice brute force attack detectors - there are several packages that can detect a brute force attack and block those IP's automatically.
On debian I use the aptable denyhosts python script, that automatically blocks ssh brute-force attacks by adding entries to /etc/hosts.deny. You do have to check if you are not blocking legitimate IP's, attacks can be spoofed or come from an innocent virus infested machine.
Other similar programs update your iptables configuration, like apf + bfd, that scan your log files for breakin attempts and create automatic rules blocking the IP of the attacker.
Step 3: Extra security - One time passwords and port knocking
The steps mentioned above will clear up your logs and make your system more secure. But there are certain scenarios that could benefit from some extra security work. If you have many users that must have access from anywhere in the world (including unsecured computers), and having them carry their key in a USB stick is not practical, you can make them use one time passwords, libpam-opie:
Use OPIE one time passwords for PAM authentication. A one time password is useful to avoid having your password sniffed and reused if you log in via an unencrypted channel or from a compromised system. The PAM module enables OPIE for programs such as SSH which use PAM for authentication.
Sounds interesting, but I have never set this up myself, and even if OPIE passwords are really good against keyloggers, I prefer using key-host based authentication.
Another very interesting concept is Port Knocking:
port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s)
In other words, your SSH port is closed, until you send a specific secret combination of packets. So even a hacker would have a hard time finding your SSH port in the first place.
Some extra advice!
This advice concerns linux security in general, most people are lazy so I will repeat them.
Enforce good passwords: install libpam_cracklib: a PAM module that tests passwords to make sure they are not too weak during password change.
Read your logs! Install logcheck and/or logrotate to make your log reading life easier.
Keep your system up-to-date! For non-critical debian systems you can use something like unattended-upgrades to keep the security packages updates automatic.
There are several packages that can improve security with little effort: tiger, harden, bastille and a firewall of choice.
**** Disclaimer: Do I really need this? I am not an expert, so read all the docs anyways.***
Am I missing anything?