Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 
A ssh server is the most common way to access a server which is connected to the internet. Everybody who knows a userid and password or guesses them can access the server if the standard ssh configuration is used. If he succeeds to get root access the server can be compromized by the attacker and will be used as ftp-server, DOS client, mail SPAM sender ... and the owner of the server is liable for any activities of the attacker. That's awkward and can become quite expensive. The following page describeshow to modify the sshd config file to make the ssh server secure and protectagainst any attacks.

 That's why you have to careful think about how you protect your server when you setup a server in the internet.


Following config is mandatory:
  1. Disable root access with ssh
  2. Allow access with ssh keys ony. Otherwise make sure secure passwords are used only
  3. Reduce the access to a minimum
  4. Deny ssh attacks
Following sshd_config parameters should be used:
  1. PermitRootLogin no
  2. Protocol 2
  3. AllowGroups users
  4. AllowUsers xxx yyy zzz, xxx, yyy and zzz are user who are allowed to access the system with ssh
  5. ClientAliveInterval 15
  6. LoginGraceTime 10
  7. PubkeyAuthentication yes
  8. PasswordAuthentication no
  9. MaxAuthTries 3
  10. MaxStartups 1
  11. PrintLastLog yes
  12. KeepAlive no
See my sshd_config as an example.
 
Use the following procedures to reject ssh attacks:
  1. Install http://denyhosts.sourceforge.net/. This blocks all IPs which try ssh attacks
  2. Us port xx where xx is an unused port. That way all the script kiddies are unsuccessfull.
  3. Add following lines in SuSEfirewall2-custom. They delay all ssh attacks and make them useless:
    iptables -I INPUT -p tcp --dport 4 -m state --state NEW -m recent --set --name SSH
    iptables -I INPUT -p tcp --dport 4 -m state --state NEW -m recent --update --seconds 1200 --hitcount 2 --rttl --name SSH -j LOG --log-prefix SSH_brute_force
    iptables -I INPUT -p tcp --dport 4 -m state --state NEW -m recent --update --seconds 1200 --hitcount 2 --rttl --name SSH -j DROP

  4. Create a VPN. That way the ssh port is not visible and accessible.
  5. Use Hosts.allow/.deny
 
References:
Add comment

*** Note ***

Comments are welcome. But in order to reject spam posts please consider following rules:
  1. Comments with string http are rejected with message You have no rights to use this tag
  2. All comments are reviewed by hand and thus it usually takes one day until a comment will be published.