Friday 6 June 2014

5 Tips To Secure Your OpenSSH Server



1.Change your default SSH Port

      # nano /etc/ssh/sshd_config
      Port 2222

      Now, while connecting SSH remotely:

      # ssh -p 2222 root@192.168.1x.1xx

2.Disable default Root Access through SSH

      Use any non root account for ssh and then switch (su–) to root    account. Here's how you can do this:

      # nano /etc/ssh/sshd_config
      PermitRootLogin no

3.Disable password based authentication

      Instead use public/private key pair only. You can do this:

      # nano /etc/ssh/sshd_config
      PasswordAuthentication no

Passwordless SSH key-based authentication

3.1. What is key-based, passwordless SSH authentication?

Ø       Setting up SSH keys for passwordless authentication is a preferred, quick and painless authentication mechanism on CentOS Linux, and many other SSH based systems. It also allows you to set up automated tasks, such as copying backups to another server, without having to enter a password.

3.2. Configuring key-based, passwordless SSH authentication

Ø       In this scenario, we have two servers: rm.linux.lan and cl.linux.lan We want to grant passwordless, key-based authentication from the root user on rm.linux.lan to the root user on cl.linux.lan
Ø       Assuming these keys do not exist yet, we generate our public and private key pair on rm.linux.lan
{ Note – we do not provide a password when generating these keys,}
1
sh-keygen -t dsa
2


3
Generating public/private dsa key pair.
4
Enter file in which to save the key (/root/.ssh/id_dsa):

5
Enter passphrase (empty for no passphrase):
6
Enter same passphrase again:

7
Your identification has been saved in /root/.ssh/id_dsa.
8
Your public key has been saved in /root/.ssh/id_dsa.pub.

9
The key fingerprint is:
10





11
The key's randomart image is:
12
+--[ DSA 1024]----+

13
<snipped>
14
+-----------------+
Ø       As you can see, the above command has generated two files, /root/.ssh/id_dsa and  /root/.ssh/id_dsa.pub – always keep the id_dsa file safe – this is your private key!
Ø       Now that our SSH keypair has been generated, we can quickly copy our public key file to cl.linux.lan with the following command:
#
ssh-copy-id -i /root/.ssh/id_dsa.pub root@cl.linux.lan
Ø       Now try logging into the machine, with “ssh ‘root@cl.linux.lan’”, and check in:
   ~/.ssh/authorized_keys
      to make sure we haven’t added extra keys that you weren’t   expecting.
Ø       And with that, you should now be able to ssh from the root user on rm.linux.lan to the root user on cl.linux.lan without having to enter any password!
4.Allow/Deny Specific Users/Groups

      SSH server will allow all users to login to server be default.    You can of course change that:

-Allow specific User:

      # nano /etc/ssh/sshd_config
      AllowUsers sks xyz


-Deny Specific User:

      # nano /etc/ssh/sshd_config
      DenyUsers sks xyz


-Allow Specific Groups:

      # nano /etc/ssh/sshd_config
      AllowGroups sks xyz


-Deny Specific Groups:

      # nano /etc/ssh/sshd_config
      DenyGroups sks xyz


5.Restrict SSH on specific network interface

      # nano /etc/ssh/sshd_config
      ListenAddress 192.168.10.100
      ListenAddress 127.0.0.1

No comments:

Post a Comment