Linux SSH Service Security Tips

SSH Default Settings

While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain sshd settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the /etc/ssh/sshd_config file. Lines with a pound sign (#) are commented and not read. To edit this file from a terminal:

sudo vi /etc/ssh/sshd_config

For a Gnome editor, press Alt+F2 and use:

 

gksudo gedit /etc/ssh/sshd_config

For a KDE editor, press Alt+F2 and use:

 

kdesu kate /etc/ssh/sshd_config

Please remember, after making any changes, sshd must be restarted, which can be done from the terminal with this command:

 

sudo /etc/init.d/ssh restart

SSH Root Login

By default, the SSH daemon ships with remote root logins enabled. This is a potential security risk, and so should be disabled. To disable root login, edit the /etc/ssh/sshd_config file and replace the following line:

 

PermitRootLogin yes

with this line:

 

PermitRootLogin no

SSH Login Grace Time

The login grace time is a period of time where a user may be connected and not begin the authentication process. By default, sshd will allow a connected user to wait for 120 seconds (2 minutes) before starting to authenticate. This could be used to conduct a Denial of Service (DoS) or a brute force attack against a running SSH daemon. A more reasonable setting is 20 seconds. To change this, replace this line:

 

LoginGraceTime 120

with this line:

 

LoginGraceTime 20

SSH Welcome Banner

The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:

 

#Banner /etc/issue.net

so it looks like this:

 

Banner /etc/issue.net

Now, edit /etc/issue.net and place a warning to unauthorized users. The following is taken from the Advanced OpenSSH page and is modified from a U.S. Department of Defense warning banner.

 

************************************************************************

                            NOTICE TO USERS

 

 

This computer system is the private property of its owner, whether

individual, corporate or government.  It is for authorized use only.

Users (authorized or unauthorized) have no explicit or implicit

expectation of privacy. 

 

Any or all uses of this system and all files on this system may be

intercepted, monitored, recorded, copied, audited, inspected, and

disclosed to your employer, to authorized site, government, and law

enforcement personnel, as well as authorized officials of government

agencies, both domestic and foreign. 

 

By using this system, the user consents to such interception, monitoring,

recording, copying, auditing, inspection, and disclosure at the

discretion of such personnel or officials.  Unauthorized or improper use

of this system may result in civil and criminal penalties and

administrative or disciplinary action, as appropriate. By continuing to

use this system you indicate your awareness of and consent to these terms

and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the

conditions stated in this warning. 

 

************************************************************************

Once this is in place, restart sshd and all users will see this warning before they get the login prompt.

 

SSH Allowed Users

By default, SSH will permit every user with an account to attempt to log in. To prevent this, you can use the AllowUsers directive. To do this, add a line like this in your sshd configuration file:

 

AllowUsers jsmith tallen

The AllowUsers directive is the list of all users that are allowed to log in through SSH. If you have a large number of users, or you intend to have a changing list of users, you can also use the AllowGroups directive and create a group specifically for users allowed to log in through SSH. You can add a group for this purpose with this command:

 

sudo addgroup sshlogin

Using the example name of 'sshlogin', you would then add this line to your sshd configuration file:

 

AllowGroups sshlogin

After you restart sshd, only users in the AllowUsers list (or users who are members of the 'sshlogin' group if you chose that method instead) will be allowed to log in through SSH.