OpenSSH

From ITS Wiki - Information Technology Services - University of Rhode Island

Jump to: navigation, search
Tux.png Linux

This page is part of a category. To see more pages like this, go to the Linux index.
Important.png ATTENTION
This article is for experienced users ONLY. Do not attempt the following if you are unfamiliar with the material. If in doubt, please contact the Help Desk at 874-HELP.


OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other attacks. Additionally, OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.

Security

Disable Remote Root Logins

The most common user account that people attempt to brute force is the root account. Fortunately, root logins can easily be disallowed in the opensshd config file by adding setting PermitRootLogin to no. Doing this greatly reduces the probability of a successful brute force attempt.

Allow Remote Logins on a Per-user Basis

A linux system normally comes with many user accounts, most of which are system accounts that will never need to login via SSH. A good security policy should grant remote access only to accounts that require it. My favorite method of doing this is via the pam_access module, but the easiest way is via the Allow And Deny directives in the sshd config file. see the sshd_config manual page for more information.

Require Key-based Authentication

Instead of using *nix account passwords to authenticate via SSH, server administrators can require users to authenticate using public keys. Public keys are usually at least 1024 bits (128 bytes) -- much longer (and hence harder to brute force) than a password. In order to access the server, users must have their key files, which are stored encrypted in case they are stolen. Using public key authentication greatly reduces the possibility of brute force attacks.

Restrict Access By IP Address

A good firewall policy should identify which hosts need to access which services. This includes SSH. If you only need SSH access from a single static IP Address, then your firewall policy should reflect that.

In Addition, access can be further restricted via the pam_access module. This configuration is usually in /etc/security/access.conf. In order for these settings to work, you must have UsePam set to yes in your sshd_config and make sure your pam ssh configuration requires pam_access.so.

Limit Failed Logins

Using Fail2ban is the easiest way of doing this. fail2ban will block an IP Address after x failed logins in y seconds. The block period is configurable.

An iptables firewall can also be configured to limit the numbef of connection attempts per remote IP Address.

See Also