{"id":2438,"date":"2018-09-12T14:31:06","date_gmt":"2018-09-12T18:31:06","guid":{"rendered":"https:\/\/easy-admin.ca\/?p=2438"},"modified":"2018-09-19T12:49:15","modified_gmt":"2018-09-19T16:49:15","slug":"securing-ssh-follow-up","status":"publish","type":"post","link":"https:\/\/easy-admin.ca\/index.php\/2018\/09\/12\/securing-ssh-follow-up\/","title":{"rendered":"Guide to secure SSH on Centos 7"},"content":{"rendered":"

1. Overview<\/h1>\n

 <\/p>\n

SSH is the default secured remote management protocol for almost all of Linux distributions. SSH provides a confidentiality and integrity by data encryption and passwords are no longer sent in plain text over the network. Nevertheless, a default configuration of SSH can put the server in a security risk.<\/p>\n

That is why it is important to follow a few simple steps to harden an SSH server that can dramatically reduce the risk.<\/p>\n

2. Prerequisites<\/h1>\n

 <\/p>\n

In this document, it is assumed that:<\/p>\n

You have already install RHEL\/CentOS 7 Linux server up and running.<\/p>\n

3. Disable Root Logins<\/h1>\n

 <\/p>\n

For security concern, it is not recommended to use root user to login via SSH over a network. The best approach is to use normal user to login to the server and use command sudo to perform the task that required root privilege. For more detail about Sudo, please check Linux Privilege Delegation With Sudoers<\/a>. To disable root login via SSH, update file \/etc\/ssh\/sshd_config and restart SSH service as the following.<\/p>\n

#vim \/etc\/ssh\/sshd_config
\nPermitRootLogin no
\n#systemctl restart sshd<\/p><\/blockquote>\n

4. Limit User Logins<\/h1>\n

 <\/p>\n

By default, all valid users on the system are able access the server. For security reason, we should limit to only certain users who really need to have SSH access to the server. Add the parameter AllowUsers followed by a space separated list of usernames to file \/etc\/ssh\/sshd_config. In the following example, there are only two users, \u201cjohn\u201d and \u201csysadmin\u201d who can remote SSH to the server.<\/p>\n

<\/div>\n

$sudo vim \/etc\/ssh\/sshd_config
\nAllowUsers\u00a0 john sysadmin
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

5. Disable Protocol 1<\/h1>\n

 <\/p>\n

Using protocol 1 of SSH is less secure. We should be disabled it and always use protocol 2 only instead. Edit file \/etc\/ssh\/sshd_config and restart SSH service as the following.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nProtocol 2
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

6. Change Default Port<\/h1>\n

 <\/p>\n

Port 22 is the default SSH listens port for incoming connections. The hacker can constantly scanning the server for port 22, and an effective method is to changing the default SSH port, for example to port 22224 as the following,\u00a0 to eliminate this attacks.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nPort 22224<\/p><\/blockquote>\n

Now we need to check SELinux what ports sshd is allowed to listen on by executing the following command.<\/p>\n

$sudo semanage port -l | grep ssh
\nssh_port_t\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp\u00a0\u00a0\u00a0\u00a0\u00a0 22224<\/p><\/blockquote>\n

To allow sshd to listen on the new port 2223 we have to add a rule to SELinux and restart SSH service as the following<\/p>\n

$sudo semanage port -a -t ssh_port_t -p tcp 22224
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

7. Limit Access With Firewall<\/h1>\n

 <\/p>\n

For security enhancement, we should filter the connections with firewall by adding a firewall rule in IPTables to limit access on the changed port 2223 to only an authorized IP addresses. Edit file \/etc\/sysconfig\/iptables and restart IPTable service as the following.<\/p>\n

$sudo vim \/etc\/sysconfig\/iptables
\n-A INPUT -p tcp -m state \u2013state NEW -m tcp -s 192.168.10.0\/24 \u2013dport 22224 -j ACCEPT
\n$sudo systemctl restart iptables<\/p><\/blockquote>\n

8. Limit Idle Timeout Interval<\/h1>\n

 <\/p>\n

If a timeout period for SSH connections on a server is not setting up, it is a security risk. In many cases, people stay away from their computers without locking the screens and SSH is still connected to the server. Thus, it could be compromise. Edit file \/etc\/ssh\/sshd_config as the following. The timeout interval is in seconds.\u00a0 So let set it to 300 seconds to have 5 minutes idle timeout.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nClientAliveInterval 300
\nClientAliveCountMax 0
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

9. Limit Maximum Fail Authentication<\/h1>\n

 <\/p>\n

Limiting a maximum fail authentication with SSH is a good method to stop the password brute-forcing attacks. If a user input the password incorrectly for N-1 times of the limited N time, the SSH remote session will be disconnected and will have to reconnect again. In below configuration, when user incorrectly input the password for times, the remote session\u00a0 will be disconnected.<\/p>\n

<\/div>\n

$sudo vim \/etc\/ssh\/sshd_config
\nMaxAuthTries 5
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

10. Limit Listen Address<\/h1>\n

 <\/p>\n

The default configuration of SSH will listens on all available interfaces which it should be limited. If there are multiple interfaces on the server configured with different IP addresses, it is always best to limit the user to login to the server using management IP address only.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nListenAddress 192.168.10.10
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

11. Disable Rhosts Files Support<\/h1>\n

 <\/p>\n

File .rhosts is used to control which computers trust other computers for SSH remote access to with a certain user account. If a computer trust another computer, then it will allow a specified user to remote SSH access to the trusted computers without having to enter a password.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nIgnoreRhosts yes
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

12. Disable Empty Passwords Access<\/h1>\n

 <\/p>\n

In some case, a certain user account on the server might not have set a password or has empty password. It is a best to always disable these users connecting with remote SSH server.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nPermitEmptyPasswords no
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

13. Disable Host-Based Authentication<\/h1>\n

 <\/p>\n

Host-based authentication allows hosts to authenticate on behalf of all or some of the users using the public key.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nHostbasedAuthentication no
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

14. Enable Informational Log Level<\/h1>\n

 <\/p>\n

It is good to configure SSH server to log INFO level information. Since SSH is an entry point to our server, it is recommended to log as much as possible, so we will a comprehensive log information when we run into a problem.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nLogLevel INFO
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

15. Reduce Maximum Start Up Connection<\/h1>\n

 <\/p>\n

Reducing the maximum number of concurrent connections to the SSH daemon can be helpful against a brute-force attack. The setting of MaxStartups 4 tells the ssh server to allow only 4 users to attempt logging in at the same time.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nMaxStartups 4
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n

16. Reduce Login Grace Time<\/h1>\n

 <\/p>\n

When we try to remote SSH a server, the default configuration will us 2 minutes to login. If we do not do any thing or cannot successfully login within 2 minutes, SSH session will be disconnected. The default 2 minutes time to login successfully is too much. we should consider reduce it to 1 minute instead.<\/p>\n

$sudo vim \/etc\/ssh\/sshd_config
\nLoginGraceTime 1m
\n$sudo systemctl restart sshd<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

1. Overview   SSH is the default secured remote management protocol for almost all of Linux distributions. SSH provides a confidentiality and integrity by data encryption and passwords are no longer sent in plain text over the network. Nevertheless, a default configuration of SSH can put the server in a security risk. That is why … Continue reading Guide to secure SSH on Centos 7<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":2443,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2438","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/2438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=2438"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/2438\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media\/2443"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=2438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=2438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=2438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}