CartMetrix - Do you know yours?

« Google Tracks Users Web Searches | Home | The Life - An Independant Software Developer’s Dream »

1/26/2006

Five Tips for Securing SSH

These snippets are all options in the sshd_config file, located at /etc/ssh/sshd_config on most Linux distros.

In order of increasing security

  1. Dissallow SSHv1 and force SSHv2 connections
    Protocol 2

    SSHv1 is now considered unsecure.

  2. Limit the number of SSH connection attempts at one time
    MaxStartups 2

    or

    MaxStartups start:rate:full

    From the sshd_config manpage

    Alternatively, random early drop can be enabled by specifying the three colon separated values "start:rate:full" (e.g., "10:30:60"). sshd will refuse connection attempts with a probability of "rate/100" (30%) if there are currently "start" (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches "full" (60).

    This one is good to slow up automated brute force password bots.

  3. Dissallow direct root login
    Permit no root login attempts

    PermitRootLogin no

    or
    Permit root login attempts only via keys in authorized_keys file

    PermitRootLogin without-password

    This is the method I usually go for. It prevents brute-force root attempts but still allows for easy enough access. If someone has your private key, you have more problems anyway.

  4. Change the port SSH listens to. If a hacker cannot find what port SSH is listening on, he cannot very easily try to brute force the password. Change the default port 22 to random non-used port number
    Port 22

    All valid users will need to adjust their SSH connections to use the new SSH port.

  5. Disable all password authentication and rely solely on public key authentication
    PasswordAuthentication no

    All valid users must have a public/private key pair installed on the remote host and their local workstation or any other client that they will access the remote host with.

Make sure you load these changes by restarting the SSH server. On most Linux systems this can be accomplished with:

/etc/init.d/sshd restart

or

/sbin/service sshd restart

More information on each of these settings can be found in the sshd_config manpage

Popularity: 20%

Share This

» date: 26-Jan-06 18:30:30 CST
» cat: SysAdmin, Security
» popularity: 20%
» actions: comments + respond + trackback + feed + email article
» pages: linking posts
» previous: Google Tracks Users Web Searches
» next: The Life - An Independant Software Developer’s Dream

Trackback:

Related Posts

One Response to “Five Tips for Securing SSH”

  1. Dave Fulwiler said:
    October 19th, 2006 at 6:50 pm

    You are what I aspire to be. I was a railroad conductor for many years then went back to college and got interested in Linux and the web now on a very limited basis I do what you do and love it. I am looking for a 6-5 and am thinking that free lancing may be the way I really want to go. Thanks for putting your site up here so I can see the success you enjoy. These SSH tips are good and yep I know its just from the man page I hadn’t reat entirly. Good stuff none the less

    THANKS

    Dave Fulwiler
    Milwaukee WI

Post your opinion

Verification Image

Please type the letters you see in the picture.

Subscribe without commenting


damonparker.org is proudly powered by WordPress
Entries (RSS) and Comments (RSS).

copyright © 2002-2008 damonparker.org. all rights reserved.

Close
E-mail It