How to secure SSH Server

(Secure Shell) is a most secure and designed to replace telnet, rlogin, rsh protocols. Now SSH is widely used as remote login protocol.  And a Linux Administrator must apply tough security for ssh connections by allowing authorized access and restrict unauthorized accesses. 


Disable root logins
Disable the root login via ssh is a first step to securing ssh service. So the no one can login as root (super user) from other networks via ssh protocol while allowing all other user accounts to login. Edit the server's ssh config file (example based on RPM based distributions like Redhat,CentOS,Fedora,etc.)
[root@server ~#]vi /etc/ssh/sshd_config
And in the 42nd Line, uncomment and disable the root login by...
PermitRootLogin no
[root@server ~#]service sshd restart


Block access by ipaddress filtering 
[root@server ~#]vi /etc/ssh/sshd_config
#In the 15th line uncomment and add the allowed apaddress or ipaddress range
ListenAddress 192.168.10.0/24           
(Here the connections from 192.168.10.0 to 192.168.10.255 will be accept and all the other connections will be blocked)
[root@server ~#]service sshd restart


Blocking unwanted access by iptables
Its possible to block unwanted access to ssh's port number in iptables(firewall). Add iptables rules to allow connection to allowed ipaddress and reject all other addresses
Here i allowed only accepting ssh connections on port 22/tcp from system 192.168.10.50.
Add the below lines to "iptables" config file
[root@server ~#]vi /etc/sysconfig/iptables
-A INPUT -s 192.168.10.50/255.255.255.255 -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT
#(you can add more iptables rules to block unwanted accesses)
[root@server ~#]service iptables restart


Blocking unwanted access by hosts.allow file
[root@server ~#]vi /etc/hosts.allow
#Here add the ssh access allowed ipaddress like below (add to bottom)
sshd:192.168.10.100/255.255.255.255
#and finaly block all other access in "hosts.deny" file
[root@server ~#]vi /etc/hosts.deny
ALL:ALL                                               (add to bottom)


Change default SSH Port number
Most of the unknown ssh attacks will be to the SSH's default port 22/tcp. By changing the SSH port number from 22/tcp to a different port it will strengthen the ssh security.
[root@server ~#]vi /etc/ssh/sshd_config
Uncomment the 13th line and change port number
Port 1500          (now the ssh server will listen on port 1500/tcp)
[root@server ~#]service sshd restart


Disable TCP and X11 forwarding 
[root@server ~#]vi /etc/ssh/sshd_config
AllowTcpForwarding no
X11Forwarding no
#(save the ssh config file and restart ssh service)
[root@server ~#]service sshd restart

0 comments:

Related Posts Plugin for WordPress, Blogger...

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Bluehost Coupons