Difference between revisions of "SSH"
From Jon's Wiki
(Created page with "Harden your SSH, consider these in your <tt>/etc/ssh/sshd_config</tt> file. PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin no PermitEmptyPasswords no ...") |
|||
| Line 1: | Line 1: | ||
| − | + | To harden your SSH, step 1 is disable protocol v1 connections and remove any v1 only options. Most of these options are deprecated but are probably cluttering your auth log with deprecation warnings since on most distros they are still in the default <tt>/etc/ssh/sshd_config</tt> file. Ensure something like this: | |
| + | Protocol 2 | ||
| + | |||
| + | # Remove these options, they only apply to protocol 1: | ||
| + | KeyRegenerationInterval 3600 | ||
| + | ServerKeyBits 1024 | ||
| + | RSAAuthentication yes | ||
| + | RhostsRSAAuthentication no | ||
| + | |||
| + | # Remove this, cannot disable as of CVE-2016-10010, emits log message | ||
| + | UsePrivilegeSeparation yes | ||
| + | |||
| + | Step 2, it's the 21st Century now, so use keys. | ||
| + | |||
| + | # Use keys only, ban passwords: | ||
PubkeyAuthentication yes | PubkeyAuthentication yes | ||
PasswordAuthentication no | PasswordAuthentication no | ||
PermitRootLogin no | PermitRootLogin no | ||
PermitEmptyPasswords no | PermitEmptyPasswords no | ||
| + | |||
| + | Consider these options: | ||
| + | |||
| + | # Run on some other port: | ||
| + | Port 1234 | ||
| + | |||
| + | # Restrict user names, disable common attacks: | ||
AllowUsers alice bob carol | AllowUsers alice bob carol | ||
| + | AllowAgentForwarding no | ||
X11Forwarding no | X11Forwarding no | ||
| − | + | Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or probably [https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 something else]. | |
| + | |||
| + | You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds: | ||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set | iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set | ||
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP | iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP | ||
Revision as of 23:04, 27 December 2018
To harden your SSH, step 1 is disable protocol v1 connections and remove any v1 only options. Most of these options are deprecated but are probably cluttering your auth log with deprecation warnings since on most distros they are still in the default /etc/ssh/sshd_config file. Ensure something like this:
Protocol 2 # Remove these options, they only apply to protocol 1: KeyRegenerationInterval 3600 ServerKeyBits 1024 RSAAuthentication yes RhostsRSAAuthentication no # Remove this, cannot disable as of CVE-2016-10010, emits log message UsePrivilegeSeparation yes
Step 2, it's the 21st Century now, so use keys.
# Use keys only, ban passwords: PubkeyAuthentication yes PasswordAuthentication no PermitRootLogin no PermitEmptyPasswords no
Consider these options:
# Run on some other port: Port 1234 # Restrict user names, disable common attacks: AllowUsers alice bob carol AllowAgentForwarding no X11Forwarding no
Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or probably something else.
You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP