Difference between revisions of "SSH"

From Jon's Wiki
(Created page with "Harden your SSH, consider these in your <tt>/etc/ssh/sshd_config</tt> file. PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin no PermitEmptyPasswords no ...")
 
Line 1: Line 1:
Harden your SSH, consider these in your <tt>/etc/ssh/sshd_config</tt> file.
+
To harden your SSH, step 1 is disable protocol v1 connections and remove any v1 only options. Most of these options are deprecated but are probably cluttering your auth log with deprecation warnings since on most distros they are still in the default <tt>/etc/ssh/sshd_config</tt> file. Ensure something like this:
  
 +
Protocol 2
 +
 +
# Remove these options, they only apply to protocol 1:
 +
KeyRegenerationInterval 3600
 +
ServerKeyBits 1024
 +
RSAAuthentication yes
 +
RhostsRSAAuthentication no
 +
 +
# Remove this, cannot disable as of CVE-2016-10010, emits log message
 +
UsePrivilegeSeparation yes
 +
 +
Step 2, it's the 21st Century now, so use keys.
 +
 +
# Use keys only, ban passwords:
 
  PubkeyAuthentication yes
 
  PubkeyAuthentication yes
 
  PasswordAuthentication no
 
  PasswordAuthentication no
 
  PermitRootLogin no
 
  PermitRootLogin no
 
  PermitEmptyPasswords no
 
  PermitEmptyPasswords no
 +
 +
Consider these options:
 +
 +
# Run on some other port:
 +
Port 1234
 +
 +
# Restrict user names, disable common attacks:
 
  AllowUsers alice bob carol
 
  AllowUsers alice bob carol
 +
AllowAgentForwarding no
 
  X11Forwarding no
 
  X11Forwarding no
  
Use keys, it's the 21st Century now. Also, you can tar-pit wankers trying to hammer their way in. This will drop anyone trying to connect more than three times in 30 seconds:
+
Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or probably [https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 something else].
 +
 
 +
You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:
  
 
  iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
 
  iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
 
  iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP
 
  iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP

Revision as of 23:04, 27 December 2018

To harden your SSH, step 1 is disable protocol v1 connections and remove any v1 only options. Most of these options are deprecated but are probably cluttering your auth log with deprecation warnings since on most distros they are still in the default /etc/ssh/sshd_config file. Ensure something like this:

Protocol 2

# Remove these options, they only apply to protocol 1:
KeyRegenerationInterval 3600
ServerKeyBits 1024
RSAAuthentication yes
RhostsRSAAuthentication no

# Remove this, cannot disable as of CVE-2016-10010, emits log message
UsePrivilegeSeparation yes

Step 2, it's the 21st Century now, so use keys.

# Use keys only, ban passwords:
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no

Consider these options:

# Run on some other port:
Port 1234

# Restrict user names, disable common attacks:
AllowUsers alice bob carol
AllowAgentForwarding no
X11Forwarding no

Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or probably something else.

You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP