قالب وردپرس درنا توس
Home / Tips and Tricks / How to Lock Your SSH Server – CloudSavvy IT

How to Lock Your SSH Server – CloudSavvy IT



  SSH

SSH, which stands for Secure Shell, is not very secure by default and opts for standard password authentication with no other limits. If you really want to lock your server, you need to configure more.

Disallow Password Logins ̵
1; Using SSH Keys

The first thing to do is completely remove password authentication and switch to using SSH keys. SSH keys are a form of public key encryption; you have a public key that acts as your username and a private key that acts as your password (except this password is 2048 characters long). Your private key is stored on your disk, but encrypted with a passphrase and ssh agent. If you go to SSH on a server, instead of asking for your password, the ssh agent connects to the server with your keys.

Even if you already use SSH keys, you still want to make sure your password logins are turned off, because the two are not mutually exclusive.

RELATED: What is SSH Agent Forwarding and How Do You Use It?

Generate SSH keys

You can generate a new SSH key with the utility ssh-keygen installed by default on most Unix systems.

  ssh-keygen 

This will ask you for a passphrase to encrypt the local key file. It is not used for server authentication, but it should still be kept secret.

ssh-keygen will store your private key in ~ / .ssh / id_rsa and also save your public key in ~ / .ssh / id_rsa.pub . The private key remains on your hard drive, but the public key must be uploaded to the server for the server to verify your identity and verify that you have permission to access that server.

The server maintains a list of authorized users, usually stored in ~ / .ssh / authorized_keys . You can manually add your key file to this file or you can use the utility ssh-copy-id :

  ssh-copy-id -i ~ / .ssh / id_rsa.pub user @ host [19659011] Replace  user @ host  with your own username and hostname of the server. You will be asked to log in again with your old password, you should not be prompted again and you can disable password login. 

Disable SSH Password Login

Now that you can access the server with your keys, you can disable password authentication altogether. Make sure that key-based authentication works or you will be locked out of your server.

Open the server / etc / ssh / sshd_config in your favorite text editor and search for the line beginning with:

  #PasswordAuthentication 

You want to delete this (remove the hashtag) and & # 39; yes & # 39; change to & # 39; no & # 39 ;:

  PasswordAuthentication no 

Then restart sshd with:

  systemctl restart sshd 

You should be forced to reconnect and if your key file is incorrect, you will not be asked for a password.

If you want, you can also force public key authentication, which will block all other authentication methods. Add the following lines to / etc / ssh / sshd_config :

  AuthenticationMethods publickey
PubkeyAuthentication yes 

and restart sshd .

Lockout Attackers with denyhosts

denyhosts is a utility to prevent repeated failed login attempts via SSH, similar to how your phone will lock you out after too many attempts. It is not installed by default, so you need to install it from your distro's package manager. For Debian based systems like Ubuntu it would be:

  sudo apt-get install denyhosts -y 

Once installed, enable it with:

  sudo systemctl enable denyhosts 

denyhosts should now run automatically, but you want to whitelist your IP address in case you are locked out. You could always try again from a different IP address, but this will save you some hassle.

Open /etc/hosts.allow and add at the bottom of the file:

  sshd: your-ip-address 

to replace your-ip-address by your IP address.

By default, denyhosts refuses after a failed attempt for root users and five failed attempts for other users. You can change this behavior by editing /etc/denyhosts.conf .

If you accidentally locked yourself out, you must stop denyhosts and delete your IP address from a few places:

  • /etc/hosts.deny
  • / var / lib / denyhosts / hosts
  • / var / lib / denyhosts / hosts-limited
  • / var / lib / denyhosts / hostss- root
  • / var / lib / denyhosts / hosts-valid
  • / var / lib / denyhosts / users-hosts

Restart denyhosts and you should be able to reconnect.

Whitelist SSH Access

Although forcing SSH keys with denyhosts is likely to provide adequate security, you can whitelist specific IP addresses. Most server providers offer tools to do this through a web interface. If that's an option, you'll want to whitelist from there instead of the SSH server because you can always change the whitelisted IP in case you get locked out.

 Change incoming lines.

If this is not an option, you must manually configure /etc/hosts.deny to block all traffic from unauthorized hosts.

An Important Note : If you whitelist your home, your ISP may not give you a static IP address and your IP address may change at any time. You should make sure that this doesn't happen before you blacklist all other IP addresses, or add multiple addresses as a backup, or just skip this step.

Open /etc/hosts.allow and make sure your IP address is in the file:

  sshd: your-ip-address 

If so, you can proceed and deny all other connections:

  echo & # 39; sshd: ALL & # 39; >> / etc / hosts.deny 

Restart sshd and you should see your changes.

You can also set a proxy for your SSH server

If you have your SSH server with internet, but you need to access it from multiple IP addresses, you can set a proxy for it to handle the connection . This could be another cloud server or even a box in your house.

The SSH server must be configured to only accept connections from the proxy server and the proxy server must accept connections from anywhere. You can set the proxy server however you want, but even a simple netcat connection will work. Keep in mind that this proxy server is the only access point for your SSH server, so if the proxy fails, you will be locked out unless you have a backup address.

Do not allow root login

Create a new user instead and give that user sudo privileges. This is basically the same, but it has one major difference: Potential attackers must know the name of your user account to even start attacking your server, because it will not be as simple as root @ yourserver . [19659005] Aside from security, it is generally a good Unix policy to not always be logged in as root because root does not create logs and does not ask when to access is obtained to secure sources.

Create a new user on your SSH server:

  adduser myfancyusername 

and set a password for that user:

  passwd myfancyusername 

You are not logged in with this password because you are still using always SSH keys, but it is required. Ideally, make this different from your root password.

Add this user to / etc / sudoers to give administrator rights:

  echo & # 39; myfancyusername ALL = (ALL) ALL & # 39; >> / etc / sudoers 

Switch to that user with su myfancyusername and check if you can switch back to the root user with sudo su (which does not require a root password ). If you can, you have sudo access.

Now you want to block root login. In / etc / ssh / sshd_config you want to change:

  #PermitRootLogin yes 

Remove the hashtag and change "yes" to "no":

  PermitRootLogin no [19659011] Start  sshd  and your server should block all requests to log in as  root . 

Setting up two-factor authentication

This is certainly an exaggeration, but if you're paranoid about someone who grabbed your private SSH keys, you can configure your SSH server to use 2FA.

The easiest way to do this is to use Google Authenticator with an Android or iOS device, although SSH supports many two-factor methods. With Google Authenticator, you get a QR code that you can scan from the Google Authenticator mobile app to link your phone to the server, and you also get a few backup codes to restore in case your phone gets lost. Do not keep these codes on your main computer, otherwise they are not really two factors.


Source link