Difference between revisions of "SSH"

From Jon's Wiki
m (Nitrokey)
Line 30: Line 30:
 
  X11Forwarding no
 
  X11Forwarding no
  
Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or probably [https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 something else].
+
Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or [https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368 better yet] Nitrokey which is fully open source.
  
 
You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:
 
You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:

Revision as of 23:28, 27 December 2018

To harden your SSH, step 1 is disable protocol v1 connections and remove any v1 only options. Most of these options are deprecated but are probably cluttering your auth log with deprecation warnings since on most distros they are still in the default /etc/ssh/sshd_config file. Ensure something like this:

Protocol 2

# Remove these options, they only apply to protocol 1:
KeyRegenerationInterval 3600
ServerKeyBits 1024
RSAAuthentication yes
RhostsRSAAuthentication no

# Remove this, cannot disable as of CVE-2016-10010, emits log message
UsePrivilegeSeparation yes

Step 2, it's the 21st Century now, so use keys.

# Use keys only, ban passwords:
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
PermitEmptyPasswords no

Consider these options:

# Run on some other port:
Port 1234

# Restrict user names, disable common attacks:
AllowUsers alice bob carol
AllowAgentForwarding no
X11Forwarding no

Running on a port other than 22 will more or less eliminate the zombie hoardes of hammer bots, but disabling password auth altogether will achieve the same thing. Also consider a U2F auth gadget, e.g. Yubikey, or better yet Nitrokey which is fully open source.

You can tar-pit hammer bots with fail2ban, or these two rules will just drop anyone failing to connect more than three times in 30 seconds:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 -j DROP