Making ssh even more secure

ssh is just about the most secure way you can provide access to a system. But even ssh is subject to attacks. You can reduce the likelihood of a breach even further with a few fairly simple steps. The specifics below are for Ubuntu 16.04, but the principles are the same for any modern Unix.

The most obvious step is not to have ssh open to the world unless you really need it!

If you have an ssh server running on your system, but don’t need ssh access to that system, either uninstall the ssh server or disable it. To disable the server, just run systemctl disable ssh, then killall sshd to stop any running sessions.

To remove the server altogether, use your package manager; on Ubuntu it would be apt-get purge openssl-server. Don’t uninstall ssh; you’ll lose the client as well and you probably don’t want to do that.

But assuming that you do need ssh access to your system, here are some things you should do to lock it down. In rough order of goodness:

  1. Turn off password access; require a publickey login. To do this, edit /etc/ssh/sshd_config and set “PasswordAuthentication” to “no”.
  2. Move ssh to a different port. Choose a random number between 1024 and 65000 and put ssh on that port. To do this, edit /etc/ssh/sshd_config and set “Port” to your chosen port number. Numbers like 2222 are not random…
  3. Don’t permit root logins. People should log in as an ordinary user, then use su or sudo to get root access. To force this, edit /etc/ssh/sshd_config and set “PermitRootLogin” to “no”.
  4. Allow access only for accounts on your system that need it. To do this, edit /etc/ssh/sshd_config and set “AllowUsers” to a space-delimited set of acceptable usernames. Any username not in the list will be unable to log in.
  5. Turn off ssh Protocol 1. To do this, edit /etc/ssh/sshd_config and set “Protocol” to “2”.
  6. Permit only needed commands. If you only need external access for certain commands, lock ssh down to permitting only those commands. Use the “ForceCommand” and “Match” options in /etc/ssh/sshd_config to tie particular users, hosts, groups etc down to particular commands only.
  7. Limit access by IP address. If you will only be logging in from a limited set of other systems, allow ssh logins only from those IP addresses (or subnets). Again, the “Match” command in /etc/ssh/sshd_config is your friend here. Remember to limit both IPv4 and IPv6.
  8. Limit access by time of day. If you know you will only be logging in at certain times of the day or on certain days, turn off ssh access outside those times. This is most easily done via cron – just run systemctl stop ssh to turn off ssh access, and systemctl start ssh to turn it back on. Remember that stopping the service will not stop existing sessions! If you want to do that, run killall sshd after stopping the service.
  9. Limit access by address family. If you are IPv6 capable, turn off IPv4 access. To do this, edit /etc/ssh/sshd_config and set “AddressFamily” to “inet6”.
  10. Block repeat offenders. Consider setting up something like fail2ban or sshguard. These can blacklist the IP address of anyone who tries to log in (and fails) too frequently. These programs can protect many other services too. Setting these up is way beyond the scope of this article, but the time spent learning how to do so will stand you in good stead. If you are using IPv6, make sure you are checking for attempts using either protocol.

By the way, if you think your password is safe because it is complicated or unusual – you are probably wrong. Use publickey only, and protect your keys with long, strong passphrases.

Leave a Reply

Your email address will not be published. Required fields are marked *