Wednesday, August 11, 2010

Hardening SSH Server In The DMZ(De Militarised Zone)

Its good to harden your box which is in DMZ.
What is DMZ?
Ans : DMZ is a De Militarised Zone where we will be keeping our servers, so that they can be access by out side people. Let me explain more about this DMZ. Who are not familiarise(And this activity is most of the time a Network admin work).
1. DMZ is a place where we will be isolate machines from companies local LAN.
2. These DMZ machines will have different IP address range and subnet.
3. The communication between two machines in DMZ is blocked for security reasons.
4. We cannot login to Local LAN machine from a DMZ machine, but we can login to DMZ machine from local LAN(only one way communication from LAN).
5. Ping to these machines will be disabled(most of the companies will do this for security reasons).
6. The way these machines communicate totally depends on network team what type of rule they set on their routers.
7. The security of DMZ machines are more when compared to local LAN machines(in other ways every thing is restricted to DMZ machines).
8. Only required ports are opened on DMZ machines and remaining ports are in closed or reject state(This should be done on system by Linux admin and on network level done by companies network engineer).

Once you keep your Linux machine in DMZ first and far-most thing to do is to secure SSH logins to the server.

In this post we will see some security measures for SSH to be taken when system is kept in DMZ. Most of the SSH settings are located in /etc/ssh/sshd_config (Red hat/Debian based systems).

1. Set Maximum failed login attempts, so after that many login attempts connection to the server is reseted and once again we have to connect to server.
MaxAuthTries 3
Here I have set failed login attempts to 3.

2. Disable root to login through SSH. This is a good option to force the user not to use root user to login to the server
PermitRootLogin no
Here we set it to no which indicates root can not login.

3. We should disable logging of users who donot have passwords. 
PermitEmptyPasswords no

4. Allow only users who have passwords.
PasswordAuthentication yes

5. Specify who should access this server. I can say this one is more secure because SSH will allow only the users who are specified here. 
AllowUsers test1 test2
Here I have allowed only two users i.e. test1 and test2.

6. Set-up a login banner to give warnings to the users how are logging in to that server 
Banner /etc/ssh-banner
Please specify the warning message in /etc/ssh-banner.

Once done the above changes in /etc/ssh/sshd_config file just reload the ssh server.

Note : Don't restart SSH service on production servers. Its not advisable to do it. so in-order to update your changes always use reload option. Most of the services will support reload option with service command.
#service sshd reload