SSH Secure Configuration
OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography and NOT username and password. This article shows how to secure your OpenSSH server running on a Linux or Unix-like system to improve sshd security.
OpenSSH defaults
TCP port – 22
Server config file – sshd_config (located in /etc/ssh/)
Client config file – ssh_config (located in /etc/ssh/)
User private/pub keys and client config – $HOME/.ssh/ directory
1. Use SSH public key based login
OpenSSH server supports various authentication. It is recommended that you use public key based authentication. First, create the key pair using following ssh-keygen command or PuttyGen on your local desktop/laptop:
ssh-keygen -t key_type -b bits -C "comment"
ssh-keygen -t ed25519 -C "Login to production cluster at xyz corp"
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_aws_$(date +%Y-%m-%d) -C "Key for abc corp clients"
- Open PuttyGen, set the number of bits you want in the generated key and click on Generate.
- Follow the instructions on screen
- Wait for the key to be generated
- ALWAYS insert a strong key passphrase that includes special characters, lower and upper case letters and numbers
- Save the private key and store it in a safe place
- Save the public key and pass it on to be added, or add it yourself, to the hosts you need to access.
2. Disable root login
Before we disable root login, make sure you create a regular user and can sudo to root. For example, allow user some.name to login as root using the sudo command.
Create the user and the homedir
useradd -d /home/some.name/ -s /bin/bash -m some.name
Create .ssh dir to store the authorized keys
mkdir /home/some.name/.ssh
Change ownership of the .ssh dir so it belongs to the newly created user called some.name
chown some.name:some.name /home/some.name/.ssh
Create the file authorized_keys using the echo command, in the previously created .ssh dir
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDL4d+uwhGbiwbmigwf/8aPHstt24lkQ4NaokaqEcJ7WfL3E5bW0xp22axV+3CsN1xoQycOCCRUs9pcpveVq8bTDid1lGRfMwr+cXBdpXgQpe2RrUBi8aTMJSOHp4HIRxeRi31h1TgnUTdURrA1tq7Eay/p9OshLfUcG3al7x5KidIctYxa/S3+I4ahrd+c6hbZxHERQJXZsg4KjAln6TiKfBopxgOo+D9lvD+ergrtvzHXQhpq9RayGCKa6cr3cq+9pQZRQsf1hcO3XFiWkF2lpodzhYAsSfAV/5B9+P8vkV6xkf2b3WbHUXoas89pB2kXxi4Exk18HYaTHNMevhLUbr9W7dJghbMnZtAPi1jG8t8ThYg5Xjrdc+03xzpXP8tNT11eJK0WheSI8xbyCGQEqX2DcYNvcnx07GGhmYVaYMu9Bf4KeQYVUyA5781y1ETul60Ct/3uSQ2hZ9jn2qcdH7MJxWgWwi74igxA1iyaGhQkhxGgCa1piAMor37QZ0M/+zR+w9gtnth2BJgMFWKy6yGid/qNtAFB1ydNxh4SOObI0b+0zP0q9DdkPKKUz90I2v7XgNVWe3T9mu6eIOvNol1uVsZsuNXsi00v24lAke2CbccNVq8WPNS1o4o2WhBjTWKqE2rIGf9uOAIG1Tp79G8ASK8R0oGXHTKbQLyn8u81ENOgFu/7Uyza9UoQzCinYj5jUA2+0ykvoXMf8mHCWmuQ7yoUSSofjZ3uUMsECjvYOBk3OAxXMR6ArmKsVjUqOFM96MZ3qt0NG5Oy9S88QWoQenjg5/97laqFZH1yeXJTU35zAcL4dgzslmN1IerRNhAw/BoQdIDHPRKhDfHQdrQNKX5D4S+JmFR085/XhPDW+C4Ykq/QIQoBwgye5CXi+H/RlXqu8Ig9sdfYP8XpBNRWPksKfD2uPdw+zTbVl5LCWBf0a/SolhuQU3ZQmvZexhAhnnleXxqn6SJzXrBf/RsaPPN+mvzq1KS1VVugsB/vU5p0GihGjoVL9xEZfdDewJnj9+LMlGBLL72qzDDyJEFWLATJ7f5YayqoZg44Kr37bwDXo1kU//gOh95sgRDNvRQjz8Ax8RA6suSTRiOQnAoRE4zEA96Icu2jP1EJxJssQZTEThK0bU8LgA05HC/2Uc7XDWM0SaAyOZiFowlJxbutfiBv9bj2ibtgU2CX5nazZMbrSOKJ1BQ0n6lYqX4k1LW2lUsW1Iuwdv80zPAmOIRStnpKOpDxG6gEk2VY+hGUyc/jFIZX4rqhvqHLZp0stsoq69p0tdrE506UtRN5ey3Lz8EmmwA6oIkxYsGD2SH9S5sYZ9Sxnp/MxDaIkjH594Qi8aH4Epfn7C5BQ47z user.name" > /home/some.name/.ssh/authorized_keys
Change ownership of the authorized_keys file so it belongs to the newly created user called some.name
chown some.name:some.name /home/some.name/.ssh/authorized_keys
Add some.name user to the list of users allowed to sudo without password in /etc/sudoers
nano /etc/sudoers
some.name ALL=(ALL:ALL) NOPASSWD:ALL
Once you confirm everything works as intended, disable root login by changing the following lines in /etc/ssh/sshd_config so that they match the ones below:
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
3. Disable password based login
All password-based logins must be disabled. Only public key based logins are allowed. Add the following in your sshd_config file:
AuthenticationMethods publickey
PubkeyAuthentication yes
4. Disable Empty Passwords
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
PermitEmptyPasswords no
5. Firewall SSH TCP port # 22
You need to firewall ssh TCP port # 22 by updating iptables/ufw/firewall-cmd or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.
Netfilter (Iptables) Configuration
Update /etc/sysconfig/iptables
(Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:
-A RH-Firewall-1-INPUT -s 192.168.1.0<strong>/</strong>24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5<strong>/</strong>29 -m state --state NEW -p tcp --dport 22 -j ACCEPT
If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:
-A RH-Firewall-1-INPUT -s ipv6network::<strong>/</strong>ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT
Replace ipv6network::/ipv6mask with actual IPv6 ranges.
UFW for Debian/Ubuntu Linux
UFW is an acronym for uncomplicated firewall. It is used for managing a Linux firewall and aims to provide an easy to use interface for the user. Use the following command to accept port 22 from 202.54.1.5/29 only:
sudo ufw allow from 202.54.1.5/29 to any port 22
*BSD PF Firewall Configuration
If you are using PF firewall update /etc/pf.conf
as follows:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29}