Advanced SSH security tips and tricks

The SSH server configuration file is located in /etc/ssh/sshd_conf. You need to restart the SSH service after every change you make to that file in order for changes to take effect.

Change SSH listening port

By default, SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It's wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don't scan high ports.

Open the /etc/ssh/sshd_config file and look for the line that says:




Port 22

Change the port number and restart the SSH service:




/etc/init.d/ssh restart

Allow only SSH protocol 2

There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure; SSH protocol 1 is subject to security issuesincluding man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and look for the line that says:




Protocol 2,1

Change the line so it says only protocol 2.

Allow only specific users to log in via SSH

You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:




PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it's in the wheel group, so that you can switch to superuser.

If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let's say I want to allow users anze, dasa, and kimy to log in via SSH. At the end of sshd_config file I would add a line like this:




AllowUsers anze dasa kimy

Create a custom SSH banner

If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:

*****************************************************************
*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *
*****************************************************************

When done editing, save the file. In the sshd_conf file, find a line that says:




#Banner /etc/issue.net

Uncomment the line and change the path to your custom SSH banner text file.

Using DSA public key authentication

Instead of using login names and passwords for SSH authentication, you can use DSA public keys for authentication. Note that you can have both login names and DSA public key authentication enabled at the same time. Having a DSA public keys authentication enabled makes your system bulletproof against dictionary attacks, because you don't need a login name and password to log in into SSH service. Instead, you need a pair of DSA keys -- one public and one private. You keep the private key on your machine and copy the public key to the server. When you want to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don't match, you are disconnected.

In this example the private machine (from which I will connect to the server) is station1 and the server machine is server1. On both machines I have the same home folder; this won't work if the home folders are different on client and server machine. First you need to create a pair of keys on your private machine with the command ~$ ssh-keygen -t dsa. You'll be prompted for a pass-phrase for your private key, but you can leave it blank because this is not a recommended method. A key pair is generated: your private key is located in ~/.ssh/id_dsa and your public key is located in .ssh/id_dsa.pub.

Next, copy the contents of ~/.ssh/id_dsa.pub to server1 into the ~/.ssh/authorized_keys file. The content of ~/.ssh/id_dsa.pub file should look something like this:




~$ cat .ssh/id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAM7K7vkK5C90RsvOhiHDUROvYbNgr7YEqtrdfFCUVwMWcJYDusNG
AIC0oZkBWLnmDu+y6ZOjNPOTtPnpEX0kRoH79maX8NZbBD4aUV91lbG7z604ZTdrLZVSFhCI/Fm4yROH
Ge0FO7FV4lGCUIlqa55+QP9Vvco7qyBdIpDuNV0LAAAAFQC/9ILjqII7nM7aKxIBPDrQwKNyPQAAAIEA
q+OJC8+OYIOeXcW8qcB6LDIBXJV0UT0rrUtFVo1BN39cAWz5puFe7eplmr6t7Ljl7JdkfEA5De0k3WDs
9/rD1tJ6UfqSRc2qPzbn0p0j89LPIjdMMSISQqaKO4m2fO2VJcgCWvsghIoD0AMRC7ngIe6btaNIhBbq
ri10RGL5gh4AAACAJj1/rV7iktOYuVyqV3BAz3JHoaf+H/dUDtX+wuTuJpl+tfDf61rbWOqrARuHFRF0
Tu/Rx4oOZzadLQovafqrDnU/No0Zge+WVXdd4ol1YmUlRkqp8vc20ws5mLVP34fST1amc0YNeBp28EQi
0xPEFUD0IXzZtXtHVLziA1/NuzY= anze@station1.example.com

If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/id_dsa.pub to the file ~/.ssh/authorized_keys on server1. The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:




~$ chmod 600 ~/.ssh/authorized_keys

Now, configure the sshd_conf file to use the DSA keys authentication. Make sure you have the following three lines uncommented:




RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Restart the service. If you configured everything correctly, you should now be able to SSH to your server and fall directly into your home folder without any interaction.

If you would like to use DSA authentication only, make sure you uncomment and change the PasswordAuthentication line in sshd_config from yes to no:




PasswordAuthentication no

If anyone tries to connect to your SSH service and doesn't have a public key on the server, he will be rejected without even seeing the login prompt with this error:




Permission denied (publickey).

Using TCP wrappers to allow only specific hosts to connect

This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don't want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper. I will make a rule to allow only hosts on my local subnet 192.168.1.0/24 and remote host 193.180.177.13 to connect to my SSH service.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. I'll create a rule like this in /etc/hosts.deny:




sshd: ALL

This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.

Next, create a rule in /etc/hosts.allow to allow only specific hosts (as defined earlier) to use the SSH service:




sshd: 192.168.1 193.180.177.13

Now only hosts from the 192.168.1.0/24 network and the 193.180.177.13 host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:

ssh_exchange_identification: Connection closed by remote host

Using iptables to allow only specific hosts to connect

An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here's a simple example of how you can allow only a specific host to connect to your SSH service:




~# iptables -A INPUT -p tcp -m state --state NEW --source 193.180.177.13 --dport 22 -j ACCEPT

And make sure no one else has access to SSH service:




~# iptables -A INPUT -p tcp --dport 22 -j DROP

Save your new rules and you're all done.

SSH time-lock tricks

You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:




~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:




~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP

Conclusion

These features are not hard to configure, but they are very powerful techniques for securing your SSH service. It's a small price to pay for a good night's sleep.

7 Default OpenSSH Security Options You Should Change in /etc/ssh/sshd_config

OpenSSH options are controlled through the /etc/ssh/sshd_config file. This article explains the 7 default options in sshd_config file that you should change.

In sshd_config, the lines that start with # are comments. For those options that uses the default values, the sshd_config file contains a commented line with the option and its default value.

This makes it easier for us, as we can see the OpenSSH option name and the default value without having to lookup somewhere else.

For example, sshd_config file contains the following commented line. This indicates that the PubkeyAuthentication option contains “yes” as the default value.

$ grep -i pubkey /etc/ssh/sshd_config
#PubkeyAuthentication yes

If you like to change this, you should remove the comment and change the value (from yes to no) as shown below.

$ vi /etc/ssh/sshd_config
PubkeyAuthentication no

I showed the above only as an example. You don’t need to change the default value of PubkeyAuthentication option, as allowing public key authentication is good.

You don’t need to modify any of the default values in the sshd_config file except the 7 options mentioned in this article.

1. Disable Root Login (PermitRootLogin)

By default you can ssh to the server as root. It is best not to allow root to login directly to the server. Instead, you should login to the system as your account and then do ‘su -’ to login as root.

If you have multiple sysadmins in your organization, and if they all login to the server directly as root, you might not know which sysadmin logged in as root. Instead, if you disable login as root, sysadmins are forced to login as their account first, before they can do ‘su -’, this makes the auditing easier.

Add the following entry to sshd_config to disable root to login to the server directly.

$ vi /etc/ssh/sshd_config
PermitRootLogin no

2. Allow Only Specific Users or Groups (AllowUsers AllowGroups)

By default anybody who is authenticated successfully are allowed to login. Instead you can restrict which users (or groups) you allow to login to the system.

This is helpful when you have created several user accounts on the system, but want only few of them to login.

This is also helpful when you are using NIS, openLDAP (or some other external system) for authentication. Every user in your company might have account on NIS, OpenLDAP etc. But, on a specific server you want only few of them to login. For example, on production system you want only sysadmins to login.

Add the following entry to the sshd_config file to allow only specific users to login to the system. In the example below only ramesh, john and jason can login to this system. Usernames should be separated by space.

$ vi /etc/ssh/sshd_config
AllowUsers ramesh john jason

Add the following entry to the sshd_config file to allow only the users who belong to a specific group to login. In the exampe below only users who belong to sysadmin and dba group can login to the system.

$ vi /etc/ssh/sshd_config
AllowGroups sysadmin dba

3. Deny Specific Users or Groups (DenyUsers DenyGroups)

Instead of allowing specific users (or groups), you can also deny specific users or groups.

Add the following entry to the sshd_config file to deny specific users to login to the system. In the example below cvs, apache, jane cannot login to this system. Usernames should be separated by space.

$ vi /etc/ssh/sshd_config
DenyUsers cvs apache jane

Add the following entry to the sshd_config file to deny users who belong to a specific group to login. In the exampe below users who belong to developers and qa group cannot login to the system.

$ vi /etc/ssh/sshd_config
DenyGroups developers qa

Note: You can use combination of all the Allow and Deny directivies. It is processed in this order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups

4. Change SSHD Port Number (Port)

By default ssh runs on port 22. Most of the attackers will check if a server is open on port 22, and will randomly use brute force to login to the server using several username and password combination.

If you change the port # to something different, others need to know exactly what port to use to login to the server using ssh. The exampe below uses port 222 for ssh.

$ vi /etc/ssh/sshd_config
Port 222

From your logs (/var/log/secure), if you see lot of invalid logins using ssh for accounts that don’t exist on your system, from the
ip-address that you don’t recognize, it migth be some brute-force attack. Those kind of ssh invalid login will stop, if you change the port number.

Please note that this causes little inconvenience to your team who login to the system, as they need to know both the ip-address and the port number.

5. Change Login Grace Time (LoginGraceTime)

When you ssh to a server, you have 2 minutes to login. If you don’t successfully login within 2 minutes, ssh will disconnect.
2 minutes time to login successfully is too much. You should consider changing it to 30 seconds, or may be 1 minute.

Add the following entry to the sshd_config file to change the login grace time from 2 minutes to 1 minute.

$ vi /etc/ssh/sshd_config
LoginGraceTime 1m

6. Restrict the Interface (IP Address) to Login (ListenAddress)

If you have multiple interfaces on the server that are configured to different ip-address, you might not want everybody to login to the server using all those ip-address.

Let us assume that you have the following 4 interfaces on the server:

• eth0 – 192.168.10.200
• eth1 – 192.168.10.201
• eth2 – 192.168.10.202
• eth3 – 192.168.10.203

By default ssh will listen on all of the above ip-addresses. If you want users to login only using ip-address 200 and 202, do the following in your sshd_config

$ vi /etc/ssh/sshd_config
ListenAddress 192.168.10.200
ListenAddress 192.168.10.202

7. Disconnect SSH when no activity (ClientAliveInterval)

Once you’ve successfully logged in to the system, you might want to get disconnected when there are no activities after x number of minutes. This is basically idle timeout.

In Bash, you can achieve this using TMOUT variable.

In OpenSSH, this can be achieved by combining ClientAliveCountMax and ClientAliveInterval options in sshd_config file.

• ClientAliveCountMax – This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. Default is 3.
• ClientAliveInterval – This indicates the timeout in seconds. After x number of seconds, ssh server will send a message to the client asking for response. Deafult is 0 (server will not send message to client to check.).

If you want ssh client to exit (timeout) automatically after 10 minutes (600 seconds), modify the sshd_config file and set the following two parameters as shown below.

$ vi /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0

5 Basic Linux SSH Client Commands

Let us review the following 5 basic command line usage of the ssh client.

1. Identify SSH client version
2. Login to remote host
3. Transfer Files to/from remote host
4. Debug SSH client connection
5. SSH escape character usage: (Toggle SSH session, SSH session statistics etc.)

---

1. SSH Client Version:

Sometimes it may be necessary to identify the SSH client that you are currently running and it’s corresponding version number, which can be identified as shown below. Please note that Linux comes with OpenSSH.

$ ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu

---

2. Login to remote host:

• The First time when you login to the remotehost from a localhost, it will display the host key not found message and you can give “yes” to continue. The host key of the remote host will be added under .ssh2/hostkeys directory of your home directory, as shown below.

localhost$ ssh -l jsmith remotehost.example.com

Host key not found from database.
Key fingerprint:
xabie-dezbc-manud-bartd-satsy-limit-nexiu-jambl-title-jarde-tuxum
You can get a public key’s fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
Host key saved to /home/jsmith/.ssh2/hostkeys/key_22_remotehost.example.com.pub
host key for remotehost.example.com, accepted by jsmith Mon May 26 2008 16:06:50 -0700
jsmith@remotehost.example.com password:
remotehost.example.com$

• The Second time when you login to the remote host from the localhost, it will prompt only for the password as the remote host key is already added to the known hosts list of the ssh client.

localhost$ ssh -l jsmith remotehost.example.com
         jsmith@remotehost.example.com password: 
         remotehost.example.com$

• For some reason, if the host key of the remote host is changed after you logged in for the first time, you may get a warning message as shown below. This could be because of various reasons such as 1) Sysadmin upgraded/reinstalled the SSH server on the remote host 2) someone is doing malicious activity etc., The best possible action to take before saying “yes” to the message below, is to call your sysadmin and identify why you got the host key changed message and verify whether it is the correct host key or not.

localhost$ ssh -l jsmith remotehost.example.com
         @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         @       WARNING: HOST IDENTIFICATION HAS CHANGED!         @
         @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
         IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
         Someone could be eavesdropping on you right now (man-in-the-middle attack)!
         It is also possible that the host key has just been changed.
         Please contact your system administrator.
         Add correct host key to "/home/jsmith/.ssh2/hostkeys/key_22_remotehost.example.com.pub"
         to get rid of this message.
        Received server key's fingerprint:
        xabie-dezbc-manud-bartd-satsy-limit-nexiu-jambl-title-jarde-tuxum
        You can get a public key's fingerprint by running
         % ssh-keygen -F publickey.pub
         on the keyfile.
         Agent forwarding is disabled to avoid attacks by corrupted servers.
         Are you sure you want to continue connecting (yes/no)? yes
         Do you want to change the host key on disk (yes/no)? yes
         Agent forwarding re-enabled.
         Host key saved to /home/jsmith/.ssh2/hostkeys/key_22_remotehost.example.com.pub
         host key for remotehost.example.com, accepted by jsmith Mon May 26 2008 16:17:31 -0700
         jsmith @remotehost.example.com's password: 
        remotehost$

---

3. File transfer to/from remote host:

Another common use of ssh client is to copy files from/to remote host using scp.

• Copy file from the remotehost to the localhost:

localhost$scp jsmith@remotehost.example.com:/home/jsmith/remotehostfile.txt remotehostfile.txt

• Copy file from the localhost to the remotehost:

localhost$scp localhostfile.txt jsmith@remotehost.example.com:/home/jsmith/localhostfile.txt

---

4. Debug SSH Client:

Sometimes it is necessary to view debug messages to troubleshoot any SSH connection issues. For this purpose, pass -v (lowercase v) option to the ssh as shown below.

• Example without debug message:

localhost$ ssh -l jsmith remotehost.example.com
        warning: Connecting to remotehost.example.com failed: No address associated to the name
        localhost$

• Example with debug message:

locaclhost$ ssh -v -l jsmith remotehost.example.com
        debug: SshConfig/sshconfig.c:2838/ssh2_parse_config_ext: Metaconfig parsing stopped at line 3.
        debug: SshConfig/sshconfig.c:637/ssh_config_set_param_verbose: Setting variable 'VerboseMode' to 'FALSE'.
        debug: SshConfig/sshconfig.c:3130/ssh_config_read_file_ext: Read 17 params from config file.
        debug: Ssh2/ssh2.c:1707/main: User config file not found, using defaults. (Looked for '/home/jsmith/.ssh2/ssh2_config')
        debug: Connecting to remotehost.example.com, port 22... (SOCKS not used)
        warning: Connecting to remotehost.example.com failed: No address associated to the name

---

5. Escape Character: (Toggle SSH session, SSH session statistics etc.)

Escape character ~ get’s SSH clients attention and the character following the ~ determines the escape command. 
Toggle SSH Session: When you’ve logged on to the remotehost using ssh from the localhost, you may want to come back to the localhost to perform some activity and go back to remote host again. In this case, you don’t need to disconnect the ssh session to the remote host. Instead follow the steps below.

• 
  Login to remotehost from localhost: localhost$ssh -l jsmith remotehost
• Now you are connected to the remotehost: remotehost$
• To come back to the localhost temporarily, type the escape character ~ and Control-Z. When you type ~ you will not see that immediately on the screen until you press and press enter. So, on the remotehost in a new line enter the following key strokes for the below to work: ~
  

remotehost$ ~^Z
    [1]+  Stopped                 ssh -l jsmith remotehost
    localhost$ 

• Now you are back to the localhost and the ssh remotehost client session runs as a typical unix background job, which you can check as shown below:

localhost$ jobs
    [1]+  Stopped                 ssh -l jsmith remotehost

• You can go back to the remote host ssh without entering the password again by bringing the background ssh remotehost session job to foreground on the localhost

localhost$ fg %1
    ssh -l jsmith remotehost
    remotehost$

SSH Session statistics: To get some useful statistics about the current ssh session, do the following. This works only on SSH2 client.

• Login to remotehost from localhost: localhost$ssh -l jsmith remotehost
• On the remotehost, type ssh escape character ~ followed by s as shown below. This will display lot of useful statistics about the current SSH connection.

remotehost$  [Note: The ~s is not visible on the command line when you type.] 
        remote host: remotehost
        local host: localhost
        remote version: SSH-1.99-OpenSSH_3.9p1
        local version:  SSH-2.0-3.2.9.1 SSH Secure Shell (non-commercial)
        compressed bytes in: 1506
        uncompressed bytes in: 1622
        compressed bytes out: 4997
        uncompressed bytes out: 5118
        packets in: 15
        packets out: 24
        rekeys: 0
        Algorithms:
        Chosen key exchange algorithm: diffie-hellman-group1-sha1
        Chosen host key algorithm: ssh-dss
        Common host key algorithms: ssh-dss,ssh-rsa
        Algorithms client to server:
        Cipher: aes128-cbc
        MAC: hmac-sha1
        Compression: zlib
        Algorithms server to client:
        Cipher: aes128-cbc
        MAC: hmac-sha1
        Compression: zlib
        localhost$