Sun 1 Apr 2007
Using higher SSH listening port number :
Generally hacker uses port scanner software to see whether hosts are running an SSH service. SSH listens for connections on port 22 so it’s wise to change the SSH port to a number higher than 1024 because most port scanners softwares don’t scan high ports securing your ssh service.
You can implement this by editing sshd_config file as :
*) Open the /etc/ssh/sshd_config file and look for the line that says:
Port 22
Change the port number (higher than 1024)
and restart the SSH service:/etc/init.d/ssh restart
Using SSH protocol 2
ssh has two protocols it can use namely SSH1 and SSH2 protocol. SSH protocol 2 is much more secure as compare to protocol 1; you should make following changes in your sshd_config
Edit /etc/ssh/sshd_config and look for the line that says:
Protocol 2,1
Change the line so it says only protocol 2.
Allowing only specific users to log in via SSH
Securing root access is most important step for your server security.You should not permit root logins via SSH as if anyone gets root login for your system, he can do more damage than if he gains normal user login so it’s better to configure SSH server so that root user is not allowed to log in. To do this you have to edit sshd_config file in following way;
Find the line that says:
PermitRootLogin yes
Change option “yes†to “no†and restart the service.
You can then log in with any other defined user and switch to user root if you want to become a superuser.
It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised.
If you want only certain users should be able to log in via SSH then you can specify all of them in your sshd_config file For example, you want to allow users anze, dasa, and kimy to log in via SSH, you have to edit your sshd_config file and insert all users at the end of this file;
AllowUsers anze dasa kimy
Using TCP wrappers to allow only specific hosts to connect;
If you want only specific hosts on a network to be able to connect to your SSH service, and don’t want to use or mess up your iptables configuration then you can use TCP wrappers; Here you will make a rule to allow only specific hosts on your local subnet.
By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. You have to create a rule like this in /etc/hosts.deny:
sshd: ALL This means that all hosts are forbidden to access the SSH service. Next, create a rule in /etc/hosts.allow to allow only specific hosts to use the SSH service:
sshd: ip addresses of host
sshd: 192.168.1 193.180.177.13 Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:
ssh_exchange_identification: Connection closed by remote host
Time-locking SSH session;
You can use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch.
*) In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
*) In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP.
Note : ( After changing all required settings at /etc/ssh/sshd_conf you need to restart your ssh server daemon using : /etc/init.d/ssh restart ; in order to make all changes effective.)
3 Responses to “Securing your secure shell (SSH) service”
Leave a Reply
You must be logged in to post a comment.
July 5th, 2007 at 3:37 pm
The example in “Time-locking SSH session;” doesn’t seems to work.
os: Suse 10.2 32-bit
any sugestions
SSH ident. with passphrase
July 11th, 2007 at 2:29 pm
I have done that. But I got the message permission denied to save the file..
July 22nd, 2007 at 2:33 pm
My http service is going down time to time. The tech support advised me to change the SSH port.. Looking for a good tutorial for that.. I have Linux box .. Thanks