Secure SSH Server on a Linux system can be a simple task or a pain in the ass. Today I will share some configurations to help secure an SSH server, the focus here isn’t explain what is the SSH protocol but how it can be configured more securely.
SSH is most used protocol to access remote hosts on internet it provides a secure channel between client and server and can use different types of authentication and tunneling mechanisms. The SSH server uses by default the port TCP 22 and have a generic configuration file allowing a lot of configurations and integrations with other services.
Today I will try how to secure ssh server
SSH server can be installed by downloading the package or using the package manager from your system, installing SSH isn’t the scope of this tutorial. But I can recommend you a few things to help you choose what is the best solution for you.
Using the package manager can be a fast way to install the service but do you trust the company who maintain the service? If you are using a Red Hat system with the official repos maybe you can feel more comfortable besides that you can’t guarantee the package wasn’t changed before.
The other option is compiling directly from source and verify the release hash to guaranty isn’t tampered by anyone.
After our service is installed
In order to verify the server version run the command as root:
The SSHD Service can be configured on a specific file, this file have all server settings used to configure and secure our box. There are other files used by the service but I will describe them latter.
The SSH demon can be managed by SystemD as most of the Linux servers, here I list some basic actions to mange the service.
Verify SSH Server status.
systemctl status sshd
Start SSH server service.
systemctl start sshd
Enable SSH server to start on boot:
systemctl enable sshd
Go to the sshd config file and ensure only the number two is defined on ‘Protocol’ value. Many systems already remove the support to SSH v1 but many still support it. Red Hat remove support to SSH v1 on RHEL 7.4.
Always update your SSH Server and disable the service features you don’t use
yum update sshd
SSH X Forwarding can be a very useful to allow administrate GUI applications remotely, but it is recommended to disable it because most SSH exploits are to exploit X Windows System. Only use the X Windows System with SSH on a close environment.
Change the SSH server port is a good security practice to avoid automated scans using the most common ports used by the services. In order to change the server port run the following command:
The command will edit the sshd config file and change the port setting.
Not only on SSH but on all protocols it is strongly advise to disable all users without passwords, but SSH server is smart enough to detected the users without passwords and don’t let them login.
To achieve this
The SSH server logs can be found at /var/log/sshd unless it was defined to be on another folder.
You can do it by hand or use My Optimize Script
SSH Exploits can be very dangerous, SSH protocol as we know is used to access remote servers encrypting all the data between client and server. A SSH exploit can compromise an entire company infrastructure when used by malicious hackers.
Secure SSH Server or hardening it can be done following some security standards.
You do have any other configuration to add to this guide?
Left it on comments!
BIOS Processor Instructions INTAddressTypeFunction Description00h0000:0000hProcessorDivide Error01h0000:0004hProcessorSingle Step02h0000:0008hProcessorNon-maskable interrupt03h0000:000ChProcessorBreakpoint instruction04h0000:0010hProcessorOverflow instruction05h0000:0014hBIOS ProcessorPrint screen Bound range exceeded06h0000:0018hProcessorInvalid opcode07h0000:001ChProcessorCoprocessor not available08h0000:0020hHardware ProcessorIRQ 0…