Difference between revisions of "SSH"
(One intermediate revision by the same user not shown) | |||
Line 30: | Line 30: | ||
X11Forwarding no | X11Forwarding no | ||
− | Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or | + | Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or [https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 better yet] Nitrokey which is fully open source. |
You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds: | You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds: | ||
Line 36: | Line 36: | ||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set | iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set | ||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP | iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP | ||
+ | |||
+ | == References == | ||
+ | |||
+ | * Boelen, M. [https://linux-audit.com/audit-and-harden-your-ssh-configuration/ "OpenSSH security and hardening"] Linux Audit, July 2018. |
Latest revision as of 03:01, 28 December 2018
To harden your SSH, step 1 is disable protocol v1 connections and remove any v1 only options. Most of these options are deprecated but are probably cluttering your auth log with deprecation warnings since on most distros they are still in the default /etc/ssh/sshd_config file. Ensure something like this:
Protocol 2 # Remove these options, they only apply to protocol 1: KeyRegenerationInterval 3600 ServerKeyBits 1024 RSAAuthentication yes RhostsRSAAuthentication no # Remove this, cannot disable as of CVE-2016-10010, emits log message UsePrivilegeSeparation yes
Step 2, it's the 21st Century now, so use keys.
# Use keys only, ban passwords: PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin no PermitEmptyPasswords no
Consider these options:
# Run on some other port: Port 1234 # Restrict user names, disable common attacks: AllowUsers alice bob carol AllowAgentForwarding no X11Forwarding no
Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or better yet Nitrokey which is fully open source.
You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP
References
- Boelen, M. "OpenSSH security and hardening" Linux Audit, July 2018.