SSH is a tool for secure remote login over insecure networks. It provides an encrypted terminal session with strong authentication of both the server and client, using public-key cryptography.

1. Use Strong Passwords/Usernames

choose passwords that contains:

Minimum of 8 characters
Mix of upper and lower case letters
Mix of letters and numbers
Non alphanumeric characters (e.g. special characters such as ! ” $ % ^ etc)

2. Disable Root Logins

Configuration file of SSH located in the /etc/ssh/sshd_config. To disable root logins, add below entries in this file, and restart the sshd service:

# Prevent root logins:

PermitRootLogin no
#service sshd restart

3. Allow only specific users or groups to connect

Login to the SSH is limited to only certain users who need remote access. If you are the account holder of many users then you can set to limit remote access to only those that really need it. Edit config file /etc/ssh/sshd_config to allow a specific user seperated by a space. For example:

AllowUsers testuser eric

and then restart the sshd service.

Alternatively, you can also allow particular users who are belongs to a certain groups to login. For example, to allow only the members of the “myssh” group to connect, first make sure that the group exists (groupadd myssh) and add your users to it (usermod -a -G myssh username), then add the following line to the config file /etc/ssh/sshd_config:

AllowGroups mysshusers

4. Disable Protocol 1

SSH has two protocols – protocol 1 and protocol 2. It may use either of these two. The older(first) protocol 1 is less secure and should be disabled unless you know that you specifically require it. For this purpose, modify in the /etc/ssh/sshd_config file, uncomment it and add as shown:

# Protocol 2,1
Protocol 2
and restart the sshd service.

5. Use a Non-Standard Port

By default, ssh listening port is 22. It is easy for someone (unauthorized) to access remotely without specifying port number.
To make the change, add a line in the /etc/ssh/sshd_config file:

# Run ssh on a non-standard port:
Port 2673
and restart the sshd service. Please be sure that the port number 2673 is not owned by any service.

6. Filter SSH at the Firewall

If you only need remote access from a specific IP address, then use filtering connections at your firewall by either adding a firewall rule in iptables to limit access on port 22 to only that specific IP address. For example, in iptables this done by following type of rule:

iptables -A INPUT -p tcp -s 192.168.**.** –dport 22 -j ACCEPT

If you really do not need remote access for a specific IP, that is need to open the ssh port globally, then iptables have one more option, which help to prevent brute-force attacks by logging and blocking repeated attempts to login from the same IP address.
For example,

iptables -A INPUT -p tcp –dport 22 -m recent –set –name ssh –rsource
iptables -A INPUT -p tcp –dport 22 -m recent ! –rcheck –seconds 50 –hitcount 3 –name ssh –rsource -j ACCEPT

The first rule records the IP address of each login attempt to access port 22 using the recent module. The second rule checks to see if that IP address has attempted to connect 3 or more times within the last 50 seconds, and if not then the packet is accepted. Note this rule would require a default policy of DROP on the input chain.

7. Use Public/Private Keys for Authentication

Using encrypted keys for authentication gives two main benefits. First, it is convenient as you no longer need to enter a password. Second, once public/private key pair authentication has been set up on the server, you can disable password authentication completely which means that without an authorized key you cannot access – so no more password cracking attempts.

First thing is, create a public/private key pair on the client that you will use to connect to the server (this need to be done from each client machine from which you connect):

$ ssh-keygen -t rsa
This will create two hidden files in your ~/.ssh directory called id_rsa and id_rsa.pub. id_rsa is your private key and id_rsa.pub is your public key.

If you don’t want to asked for a password each time you connect, just press enter when asked for a password while creating the key pair.
Next is set permissions on your private key:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa

Once you’ve checked you can successfully login to the server using your public/private key pair, you can disable password authentication completely by adding below line in the /etc/ssh/sshd_config file:

# Disable password authentication forcing use of keys
PasswordAuthentication no

8. Install “DenyHosts” to auto-block bad clients

Install the “denyhosts” on server which will watche the /var/log/secure logfile for invalid ssh login attempts, and if a number limited attempt is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the default configuration in /etc/denyhosts.conf:

yum install denyhosts
chkconfig denyhosts on
/etc/init.d/denyhosts start

9. Reduce MaxStartups

Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time. edit sshd_config and change MaxStartups from the default of “10” to “4:60:10”. The colon separated each values tells the ssh server to, “allow 4 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 4 and the maximum of 10”. Note: this we can set on servers with substantial numbers of valid ssh users logging in.

#MaxStartups 10
MaxStartups 4:60:10

10. Reduce LoginGraceTime

Reduce the maximum amount of time allowed to successfully login before disconnecting. 30 seconds is more than enough time to log in:

#LoginGraceTime 2m
LoginGraceTime 30

11. Allow only specific IP addresses to connect

Allow only a specific IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. add the following line in /etc/hosts.deny:

sshd: ALL

Next add to /etc/hosts.allow the networks you want to allow.

12. Bind the ssh server to a specific network interface

By default, the ssh server listens for connections on ALL interfaces (0.0.0.0). If you need a ssh server is to only be accessible internally, bind it to a LAN IP. For example: edit in the sshd_config file:

ListenAddress 192.168.XX.X

13. Ensure OpenSSH is up-to-date

# yum update openssh*

If no updates are available, then it will display as “Could not find update match…”, or follow the prompts to update if they are available.

14. Keep OpenSSH up-to-date

At the very least subscribe to the fedora-announce-list where announcements regarding updates are made.
This will be big news if a vulnerability is found in OpenSSH given its importance in the Unix world. For the same reason we must move quickly to close any vulnerability discovered.

15. Monitor the SSH logs

In FC SSH places its log information in the file /var/log/secure by default.

Of particular interest is “sshd[xxxx]: Accepted password entries” and “sshd[xxxx]: Failed password attempts” against the AllowUsers list.

16. Create a login banner for novice users.

Login as the root user; create your login banner file:

# vi /etc/ssh/sshd-banner

3) Open sshd configuration file /etc/sshd/sshd_config using:

# vi /etc/sshd/sshd_config

4) Add/edit the following line:

Banner /etc/ssh/sshd-banner

5) Save file and restart the sshd server:

# /etc/init.d/sshd restart

17. Disable .rhosts Files

Do not allow reading of users’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

18. Disable Host-Based Authentication

To disable host-based authentication, edit sshd_config with the following:

HostbasedAuthentication no

19. Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys.

20. Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories like /etc/, /bin and so on. You can protect ssh, using OS based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you can no longer have to rely on third-party hacks such as rssh or complicated chroot setups to lock users to their home directories.

21. Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network.

You can use any of the following software to prevent brute force attacks against SSH.
DenyHosts,Fail2ban,BlockHosts,Blacklist,Brute Force Detection …
22. Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port.

23. Use Log Analyzer

Read your logs using logwatch or logcheck . It will go through your logs for a given period of time and make a report in the areas that you wish. Make sure LogLevel is set to INFO or DEBUG in the sshd_config file:

LogLevel INFO

If you require help, contact SupportPRO Server Admin