..::capture of life::..

...my thoughts, learnings & captured images...

Advanced SSH security tips and tricks

Change SSH listening port

By default, SSH listens for connections on port 22. For security reason person can change the port for listening. Then other person connecting from the network have to specify the port number otherwise connection will be refused.

Open the /etc/ssh/sshd_config file and look for the line that says:

Port 22

Change the port number and restart the SSH service:

/etc/init.d/ssh restart

Suppose new port number is 222. Then only those person can connect to my PC who knows my new PORT number. Then person have to specify the port number while connecting via SSH

mishu@mishu:~$ ssh [email protected]
ssh: connect to host port 22: Connection refused // as I made change in the listening port.

mishu@mishu:~$ ssh -p 222 [email protected]
[email protected]'s password: // when particular port number is given then it gives the password prompt.

Allow only SSH protocol 2

There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure.

Edit /etc/ssh/sshd_config and look for the line that says:

Protocol 2,1

Change the line so it says only protocol 2.

SSH with graphical interface

If any one is willing to access the remote PC with graphical interface then user have to use a switch -Y.

command is like this

picklu@picklu:~$ ssh -Y mishu@mishu

Allow only specific users to log in via SSH

User should not permit root logins via SSH, because this is a big and unnecessary security risk. Configure SSH server so that root user is not allowed to log in. Find the line that says:

PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

If you would like to have a list of users who are the only ones able to log in via SSH, it can also be specified in the sshd_config file. For example, let's say I want to allow users mishu, and rumee to log in via SSH. At the end of sshd_config file I would add a line like this:

AllowUsers mishu rumee

Using DSA/RSA public key authentication

Instead of using login names and passwords for SSH authentication, user can use DSA/RSA public keys for authentication. Note that user can have both login names and DSA/RSA public key authentication enabled at the same time. User need a pair of DSA/RSA keys -- one public and one private. User keep the private key on your machine and copy the public key to the server or other machine where s/he wants to login. When user wants to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don't match, you are disconnected.

In this example the private machine (from which I will connect to the server/other machine) is station1 and the server machine is server1. Procedure is following:

First I need to create a pair of keys on my private machine.

picklu@picklu:~$ ssh-keygen -t rsa

There will be prompted for a pass-phrase for your private key, but it can be blank because this is not a recommended method. A key pair is generated: private key is located in ~/.ssh/id_rsa and your public key is located in .ssh/id_rsa.pub.

Next, copy the contents of ~/.ssh/id_rsa.pub to server1 into the ~/.ssh/authorized_keys file.

If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on server1 by following command.

cat id_rsa.pub >> .ssh/authorized_keys

The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:

~$ chmod 600 ~/.ssh/authorized_keys

Now, configure the sshd_conf file to use the DSA/RSA keys authentication. Make sure you have the following three lines uncommented:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Restart the service. If everything configured correctly, user should now be able to SSH to the server without any interaction.

If you would like to use DSA/RSA authentication only, make sure you uncomment and change the PasswordAuthentication line in sshd_config from yes to no:

PasswordAuthentication no

If anyone tries to connect to your SSH service and doesn't have a public key on the server, he will be rejected without even seeing the login prompt with this error:

Permission denied (publickey).

N. B. If .ssh or its parent directory is group writable then this will not work.

Create a custom SSH banner

If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:

*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *

When done editing, save the file. In the sshd_conf file, find a line that says:

#Banner /etc/issue.net

Uncomment the line and change the path to your custom SSH banner text file.