Secure Shell or with its most know name SSH is a protocol developed to connect IT systems remotely and securely. SSH works as expected client server architecture. In this post we will look various security related configuration options of the SSH daemon service or sshd. The tutorial about the client side ssh configuration can be found in the following link
Server Configuration File
Ssh generally works as a service or daemon. This service starts by reading some configure file about the service. This configuration file is located at
/etc/ssh/sshd_config . In most Linux distributions the file is used as startup config. In order to modify configuration file we need root privileges.
$ head /etc/ssh/sshd_config
Some rules requires comments about them. Comment are created with
# lines. Comments have no effect about sshd configuration.
#This is just a comment.
Restart Ssh Service
After ssh configuration file changes ssh service or daemon should be restart to take effect new configuration. There are different ways to restart ssh service but the most global way to restart ssh daemon is using
systemctl command like below.
$ sudo systemctl restart sshd
Stop Ssh Service
If the ssh is not used and we have direct access to the system stopping ssh service is more secure choose. We will stop ssh service with
$ sudo systemctl stop sshd
Check Ssh Service Status
After configuration changes we restart the ssh service but how can be sure it is working. There are different ways but most appropriate way is using
systemctl to get status of the service. This command also provide last logs about the service those can provide hints about configurations errors or similar things.
$ sudo systemctl status sshd
Specify Protocol Version
Ssh have two versions. As we expect version 1 is the old and non secure version. It is abandoned in long time ago but some ssh configurations may contain this version enabled. We will only enable the version 2 with following line.
By default all users in created on the system can login remotely. Enabling all users remote login opportunity is not a good security practice. We can limit login for specified users like below. In this example we only allow user i
smail to login remotely by using ssh.
Another way to limit users login is specifying user account those do not have right to login remotely by using ssh. All other users than specified ones will have remote access. In this example we deny remote access for user
root . Denying access for root is a good security practice.
Specify IP Address and Interface To Run
By default when ssh service is started it runs on all interfaces and IP addresses. This may create some security problem if the system have more than one network interface where some of them are in secure side. We can restrict the ssh service interface to run. Ssh service will not accept connections from other interfaces.
Configure Session Timeout
After connection is established the connection is stayed in open state forever if not closed explicitly. This is not a wanted situation for resource usage and security. We should define a timeout value which will close session after this time of inactivity. In this example we set this values as
Disable Root Login
One of the best practices is disabling
root account remote login. If there are other high privileged well known accounts these accounts must be disabled too.
While connecting systems remotely with ssh providing information warning information about the system is good way to prevent some attacks.
Banner "This system is monitored and logged in real time. In the case of attacks the legal actions will be taken against attacker."
Change Port Number
By default ssh uses TCP port 22 as port number. Most of the users and attackers assumes this default and takes action to the TCP port 22. If there is no operations cost changing the ssh server port is the best way. In the example we use port
1234 as ssh daemon port.
Disable Password Authentication
Password authentication is a simple method for user to authenticate themselves. But it is more simpler than other method for attackers to crack too. Users generally prefer simple and easy to remember passwords which make attackers work easy. We can disable password based authentication.
But the users should be all ready setup Public key based authentication in order to resume using ssh server. More information about how to setup public key based authentication can be found in the following link.
Only Public Key Based Authentication
By default public key authentication is enabled but enabling it explicitly will make it more reliable.
Disable Empty Passwords
Another great risk for ssh daemon is empty passwords. Modern Linux distributions generally prohibits empty passwords but disabling empty passwords will make us sure.
Enable Strict Mode
StrictMode checks some cases before the ssh server starts. Ssh key, configuration files ownership, permission checks are performed before ssh daemon starts. If one of them fails the ssh server daemon do not starts. Strict mode is enabled by default but generally closed by system administrators. For security reasons it should be enabled.
Disable X11 Forwarding
One of the best feature for ssh is forwarding X11 over remote connections. This is very useful feature for some system administrators and users. But this can create some security holes in the system. If X11 forwarding is not needed disable it.
Update Ssh Software
Now the last but one of the most important rule to make ssh servers and daemons secure. Updating is the magical way to make ssh more secure.
Ubuntu, Debian, Mint:
$ sudo apt upgrade ssh
Fedora, Kali, CentOS:
$ sudo yum update ssh