Security Hardening Steps for OpenSSH Server

Umut Unal
8 min readFeb 13, 2022

--

Generally we use SSH connection while reaching Linux systems. To secure this connection first we need to understand what is SSH?

What is SSH?

SSH stands for Secure Shell or Secure Socket Shell which is a remote management protocol that allows users to control and organize their servers over the unsecure network connection like internet. SSH was created for a encrypted replacement of Telnet service. Because the telnet connection between client and server won’t encrypted. If some how a man or a woman stand in the middle of client and server; then he/she can see the all communication in clear text format. And yes, it is not the best explanation of MITM attacks :)

It is more secure then Telnet to access the remote server and transfer files or give execute some commands. But it doesn’t mean that it is enought to use SSH for secure connections. We need to make some advance configuration instead of use the SSH on default configuration on sshd_config file.

Let’s get started:

1. Change the default port:

Lets open the SSH service configuration file first by;

sudo nano /etc/ssh/sshd_config
sshd_config File

Change the port 22 to avoid from default connections. You can do it for example 7777. But you need to consider that you will no longer be able to connect by default port. So you need to specify the new port number.

Changing Default Port

This will keep you safe from script kiddies. But still a deep network reconnaissance will show there is ssh service running on port 7777.

We need to enter the following command in order for every change we have made at this and every subsequent stage to be processed. In this context, the changes we have made to the sshd_config file will be processed. I won’t write this over and over after each step, but I want to say that it should be done.

systemctl restart sshd

2. Get more information about accessing your server:

By default the server logs all SSH accesses. However, you can change “LogLevel” to “VERBOSE” to have more information about failed access attempts.

Logging Verbose

3. Limiting users and turning off root user:

Before we limit the users who can access via SSH, we must prevent the root user from connecting via SSH. For this, we need to create a user with root privileges.

useradd -m umtunl 

We create a new user with this command. The -m specifier here also means to create a file under the home folder for the relevant user.

Then we assign a password to the umtunl user. And yes it should be strong :)

passwd umtunl

After this process, we need to add the user we created to the admin group.

usermod -aG sudo umtunl

We need to edit the /etc/ssh/sshd_config file we use for SSH connection settings.

In this file, we change the “PermitRootLogin” line to “no”, which allows root user access. We are giving permission to the newly created user by adding the phrase “AllowUsers umtunl” to the bottom line. Then we save the file and exit.

Changing Allowed Users

4. Disable SSH passwordless user connection requests:

As silly as it sounds, yes, it’s true that users sometimes forget to define their passwords. In such cases, by preventing the connection via ssh, attackers who obtain a possible username information or try brute-force can be prevented from entering.

We can prevent such situations after changing the “PermitEmptyPasswords” line to “no”.

5. Connecting with SSH key:

The safest way to connect to your server is to use an SSH Key. When you use SSH Key, you can access the server without a password. In addition, you can completely turn off password access to the server by changing the password-related parameters in the sshd_config file.

When you create an SSH Key, there are two keys, Public and Private. The Public Key is uploaded to the server you want to connect to. Private Key is stored on the computer to which you will connect.

We create an SSH key with the ssh-keygen command on the computer to which we will connect to our server. I recommend that you do not leave the Passphrase part blank. Remember the password you entered here. If you leave it blank, you can only access it with the SSH Key file, but by specifying a password, you will prevent someone who has the key file from accessing it by using the file only. I am creating an SSH key on an Ubuntu server for testing purposes.

ssh-keygen

With the command below, we copy the Public Key to the server we want to access.

ssh-copy-id umtunl@192.168.0.26 -p 7777

Then we try SSH connection from our Ubuntu server. We access our server by typing the password we entered for the key.

As on, we prevent password access by making PasswordAuthentication value no in our sshd_config file. We restart the sshd service with the systemctl restart sshd command.

Then we try to login from the windows machine which is a different machine. But login fails because we didn’t share Public Key of this new machine with target server.

6. Host based access blocking:

For certain reasons, you are not using the firewall inside the server. Then we can access via the IPs we have determined with host-based access blocking. We log into the /etc/hosts.allow file and add the line to sshd: allowed_ip_adress

Then we add the sshd : * line to the /etc/hosts.deny file.

In this way, we provide access to the sshd service from the IP we have determined, while preventing access from other IPs.

7. Allowing SSH access from specific addresses:

If you only want to access SSH from the addresses you specify, a server firewall will come in handy here. We will give an example on Ubuntu, but the same logic applies to other operating systems. Ubuntu uses ufw as a firewall. If you want, you can install iptables or the one you know and like. We activate ufw first.

sudo ufw enable

Then we enter the rule that we will only access from the IP we specified. You can also enter a subnet here if you wish.

sudo ufw allow from 192.168.0.34 to any port 7777

We add one more rule to block access from other IPs.

ufw deny from any to any port 7777

Next, let’s view the rules we added.

ufw status numbered

You can see the all steps by following figure.

In this way, we have only allowed SSH access from the address 192.168.0.34.

8. Use SSH Protocol 2:

The more secure version of SSH can be used as SSH2. If you want to examine the difference between SSH1 and SSH2 in detail, this article will be very useful.

SSH2

By default, SSH protocol 2 is used, but some older servers and machines or IoT devices may use Protocol 1, so it may be necessary to consider the possibility. In this context, we can add “Protocol 2” to a line in our sshd_config file and then restart the ssh daemon as we do with every change.

When trying to make an SSH connection again to test, it automatically detects the protocol that the server uses by default. For this reason, when we specify that we want to use protocol 1, specifically starting with ssh -1, we get the error “SSH protocol v.1 is no longer supported”.

SSH Protocol 2

9. Limit access attempt:

By default, you can access the server by making as many password attempts as you want. However, attackers can use this vulnerability to perform brute-force attacks on the server. You can automatically terminate the SSH connection after a certain attempt by specifying the number of password attempts. You can change the MaxAuthTries value as many times as you specify. In general, the number 3 is good. In this direction, we can think that someone who will log in incorrectly more than 3 times does not have a job on that server.this

Max Tries

10. Show warning with banner:

You can display a text that you have created to warn those who will login to the server, with the Banner parameter in the sshd_config file.

Banner

After making the changes, we restart the SSH daemon and apply the change 180 and test it.

Although it is a good idea to put up a banner, be careful not to create a challenge for attackers :D

11. Set SSH Connection Timeout Idle Value

It should be noted that in case of leaving your PC, someone else can take over your SSH session and do whatever they want. Although it is not correct to leave your computer unlocked, I am not going into this topic since our topic here is SSH security. As a precaution against this issue, it’s prudent, therefore, to set an idle timeout limit which when exceeded, the SSH session will be closed.

We will change the following “ClientAliveInterval” as 180 seconds.

Time Interval

12. Turning off TCP port forwarding and X11 forwarding

Attackers can try to gain access to your other systems by port forwarding through SSH connections. To prevent this, you can turn off the “AllowTcpForwarding” and “X11Forwarding” features.

https://www.ldeo.columbia.edu/ldeo/it/security/ssh/ssh-faq-1.htmlYou can find more detailed explanation about X11 Forwarding on this article.

Conclusion

By applying all these steps, we can increase SSH security in order to increase the security of systems, which has become more important with the increase of remote working opportunities, especially with the pandemic process. Of course there are many other possible option for make SSH more secure. Not only configuration about sshd_config file configuration, also you may use VPN too etc.

Although I have shared a post here by benefiting from many internet sources and my experience if there is a place that you think I have expressed incorrectly, please do not hesitate to tell me.

Stay safe.

References

References-1
References-2
References-3
References-4

--

--