Introduction

  • Linux Servers can be accessed remotely using SSH protocol.
  • SSH protocol uses port number 22 by default.
  • OpenSSH is an open-source tool that comes with Linux servers using which we can make a secure and encrypted connection by using SSH (Secure shell)
  • Securing the OpenSSH server has become a very important security concern as It acts as the entry into the servers.

SSH Hardening Steps

In this blog post, We will go through the possible options to harden/secure the OpenSSH server.

1) Passwordless Authentication for SSH

By default, SSH requires a password to login in. By attempting the brute force attack and/or using the hacking tools, the hackers can crack the password and gain access to the server.

In order to avoid such issues, We have to disable the password-based authentication for SSH.

Login to the server and then open the config file,

vi /etc/ssh/sshd_config

Search for the directive: PasswordAuthentication, Uncomment and Change the value from yes to no

Save and close the file and then restart the ssh service.

systemctl restart sshd

2) Using more secure SSH Protocol

SSH has 2 versions , SSH protocol 1 & SSH protocol 2.

Due to its strong cryptographic integrity check and encryption, SSH protocol 2 is way more secure than then SSH protocol 1.

To change the SSH protocol from 2 to SSH protocol 1, open the  sshd_config file and add the following config.

Protocol 2

For the changes to be effective, the SSH service should be restarted.

3) Custom port for SSH

By default, The SSH listens on port 22 which is widely known among hackers.

Using the security tools, they can perform scanning on port 22 and perform brute force attacks.

To avoid this, We have to use the custom port number for SSH authentication.

Edit the ssh config file,

vi /etc/ssh/sshd_config

Uncomment the directive: Port and change the port from 22 to any random port you prefer.

And as always, restart the SSH service for the changes to take effect.

4) Timeout for SSH Connections

The amount of time in which an SSH session is allowed to be idle. If the set timeout is reached, the SSH connection will be terminated.

By default, This option is disabled. We will edit the SSH config and set the idle connection timeout to 300 seconds.

To enable it, Edit the sshd_config file.

Uncomment the directive: ClientAliveInterval

And change the value from 0 to 300

Save and close the file.

Restart the SSH service for the changes to be effective.

5) Forbid the use of empty Passwords

We can have the User accounts in Linux without any passwords.

 When those users try SSH, they won’t need a password for accessing the server via SSH as well.

This will be a security risk. We have to forbid the use of empty passwords.

To disable the use of empty passwords,

Edit the sshd_config file, Uncomment the directive: PermitEmptyPasswords

And set the value to no.

Save & close the file.

Restart the SSH service for the changes to effect.

6) Enable two-factor authentication for SSH

Enabling a two-factor authentication mechanism for SSH takes security to the next level.

During SSH, You will be asked to enter the 6 digit security code which you have received on the Authenticator app.

First, the Google PAM module should be installed using the below commands,

apt-get install libpam-google-authenticator

The next step is to generate secret keys using the google authenticator pam mobile which was installed.

Enter the below command to generate the secret keys.

google-authenticator

Which asks for a few questions, answer the questions with yes.

Finally, We have to configure SSH to accept MFA – Google PAM authentication.

Open the file /etc/pam.d/sshd and add the below config at the end of the file

auth required pam_google_authenticator.so

Save and close the file.

And also we have to configure the SSH daemon to accept google authenticator.

Open /etc/ssh/sshd_config file and then change the value for the directive: ChallengeResponseAuthentication to yes.

 Save & close the file.

Restart the SSH service for the changes to take effect

systemctl restart sshd

Conclusion

We have learned to harden/secure the SSH server 

Following the above best practices will help us to prevent SSH attacks on the Linux operating systems.