[CentOS] Securing SSH

Wed Mar 26 19:44:32 UTC 2008
mouss <mouss at netoyen.net>

Tim Alberts wrote:
> So I setup ssh on a server so I could do some work from home and I 
> think the second I opened it every sorry monkey from around the world 
> has been trying every account name imaginable to get into the system.
>
> What's a good way to deal with this?

- keep your ssh up to date.
- only enable protocol version 2
- disable root login
- create a group and only allow login to members of this group.
- the authorized users should have a strong password, if password 
authentication is enabled
- better not use logins that are the same as email addresses as these 
can be eaisly harvested and tried.
- use public key authentication
- depending on your situation, you can disable password authentication. 
however, make sure you don't lock yourself. also, if your users need to 
connect from anywhere, they can't use a key (except if they have a usb 
key or the like)
- if possible, only allow access from a specific set of IPs/networks.
- "rate limit". you can use iptables recent module to catch multiple 
attempts.
- "punish". you can parse your logs and add offenders to a blacklist (to 
be used in iptables). denyhosts, fail2ban, ... can be used here. make 
sure not to lock yourself. so always have a rule to allow access from 
some trusted IP before the rule that blocks access.
-  you can restrict access to IPv6, IPSec or any VPN if you can always 
use these. but if you have a VPN, you may or may not need ssh.
- if you have multiple machines, consider allowing free access to only 
few of these, and then use them as gateways. not very practical though.
- change the port. while this doesn't make your system more secure, your 
logs will become silent. This may not be practical (need to specify the 
port in scripts... etc). you can use two ports (using two Port 
statements in sshd_config) and have different configurations (only allow 
port 22 from specific networks for example).
- a log parser could run geoiplookup and add IPs to an iptables 
blacklist if they are in a "far away" country.
- you can add a "pre-authorization" mechanism: user must do something 
before trying to ssh. In these web days, a web form is both easy to 
setup and use (compare this to "port knocking", SPA, ...). One problem 
here is that you don't want to give the web user the ability to change 
your iptables configuration without extreme care.
- configure a banner so that your users get used to see it. if they 
connect and don't see your banner, they should alert you. (

Note. if your users connect with passwords from "unsafe" places, 
keyloggers and the like can steal their login/password or their key file 
and passphrase.