Monday 10 March 2014

OpenSSH security/hardening tips #Linux/Unix

Objective: Strengthen security on SSH

Environment: CentOS-6.3 (32-bit)

OpenSSH version : OpenSSH_5.3p1

SSH Protocol version : 2

I had observed more lines which were commented in sshd_config, hence I had enabled few of the options which could possibly strengthen ssh.

Any changed made to the /etc/ssh/sshd_config would require its corresponding daemon(sshd) to be restarted. Hence I would assume the reader would probably be aware and continuing explaining below options.

1. Change the port number on which sshd listens or specify the local address along with the port number on which sshd listens.
Port XXXX
or
ListenAddress 0.0.0.0:XXXX

2. The server disconnects if the user has not successfully logged within 120 seconds.
LoginGraceTime 2m

You may receive below snap if you would continue to be without logging in.




3. Once after logging into the server, and if there is no data communication for around 5 Minutes then we could force auto-logout option.

# grep -i tmout /etc/bashrc 
export TMOUT=300
 # 

You may receive the below error incase if the session is idle for 5 Minutes.

# timed out waiting for input: auto-logout
Connection to XXX.XXX.XXX.XXX closed.

4. Use the authentication methods(RSA, DSA) to grant access to the users, i..e password less logis to the users. How to create RSA/DSA to authenticate

PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
AuthorizedKeysCommand yes

# To disable tunneled clear text passwords, change to no here!
PermitEmptyPasswords no
PasswordAuthentication no

5. sshd should check file modes and ownership of the user's file and the home directories before accepting login.
StrictModes yes

6. Password attempts to be prompted would be ideally two, incase of any failures would be disconnected.
MaxAuthTries 3


7. Restricted the maximum concurrent un-authenticated connections to the SSH daemon.
MaxStartups 2



8. You can use allow/deny directives for users/groups to allow/disallow based on the primary and the supplementary groups lists matches one of the pattern.
Allowgroups sshgroup

9. Finally, you can configure chrootDirectory which specifies the pathname of a directory to jail the user after authentication. All the components of the pathname must be root owned.
If this interests you on how to jailusers Click here 

I, hereby conclude that most of the options related in securing communication between server & client by OpenSSH had been discussed.