SSH Hardening

SSH(Secure SHell) is a popular tool among the community. Created by the freebsd project as a fork from Bjorn Gronvall's OSSH with extensive code modifications. It is used for secure remote administration. With this tool you can perform tasks as if you were actually physically at the box. SSH makes use of the openssl libraries to provide strong encryption to keep those prying eyes from peeking at your data between you and your server unlike Telnet. 

Open SSH is available on most Linux systems by default and can easily be obtained by means of source from www.openssh.com . Also you can install using popular yum and apt applications. I use Ubuntu . For installing open-ssh client and daemon in Ubuntu we would issue the following commands.

sudo apt-get install openssh-server openssh-client

Now that we have the open-ssh tools and server suite installed. Lets go over the important files that have been installed. We will start with the configuration directory. All the configuration files are located in: /etc/ssh in this directory. In the configuration directory we will see a list of files. 

First lets look at /etc/ssh/ssh_config . 

IdentityFile - is a important variable that tells ssh where to look for key files. 
Protocol – This is the version of the openssl protocol to use. 
Cipher - This is the default encryption cipher ssh will use while trying to connect to other ssh servers
Ciphers – Available encryption ciphers that ssh should use.
ConnectTimeout – How many seconds should ssh wait before giving up on making a connection
CheckHostIP – Tells ssh whether or not to check the servers ip against the known_host file
ForwardX11 – This option is for forwarding X11 sessions. (X11 is the graphical desktop system Linux uses. This can be used for encrypting remote desktop sessions)
PasswordAuthentication – Do we want to use passwords by default? Or strictly require ssh keys(This is a file, that replaces the need for passwords and is considered more secure)
RSAAuthentication – Enable use of keys, if you have generated a ssh key a for a server you have access too then this option will allow ssh to automagicly use the key before prompting for a password.
ForwardAgent - if you enter your password via ssh-add on one machine, then ssh to another that accepts that key, you should be able to then ssh to a third machine that also accepts the key without ever entering your password again

Now lets look at /etc/ssh/sshd_config
Port – Sets the port the ssh server is set to listen on. 
Protocol –  Version of the openssl protocol to use
AddressFamily – Type of ip protocol to use, ipv4, ipv6, or any are valid options
ListenAddress – Address the server is set to bind to. 0.0.0.0 is all address associated with the machine.
PasswordAuthentication - Do we want to use passwords by default? Or strictly require ssh keys(This is a file, that replaces the need for passwords and is considered more secure, only if your box is a secure machine. If not if a attacker has access to your files. He has your keys)
PermitEmptyPasswords – this should always be set to no and defaults to no.
UsePAM – Defaults to yes. This uses the local user/password system to validate access to the system. Other options could be to use Mysql to allow SSL tunneling but no shell access etc.
X11Forwarding – This should be set to no on desktop systems and I really see no need for it to be used on servers, its just a waste of resources.
Banner – You want to have a nifty message popup to every user that logs into the system. Well that can be done here.
AllowTcpForwarding – With this option we can forward tcp connections useful for tunneling

Well There are a lot more options you can tinker with in SSH and SSHD but those are some of the most important ones.

Now for hardening sshd - 

Every hacker white/grey/black hat knows that ssh runs on port 22. So we want to change this to a higher port so its not so obvious what service is being run on the machine. So a good idea is to pick a high number port like:1289 . More skilled hackers will only scan certain ports and will not scan every port as to not set off alarms or get blocked from the machine they are targeting.

Another thing we want to do is set PermitRootLogin to no. As I said above all hackers know that the root account is the master of all things *nix. So we disable logging into root. We use a unprivileged account to access the server. Use a name that is not common. Bad examples are: guest, bob, curly, moe Good examples are: X18zF2, gogetyasome, pandorarocksout . Then sew into the root account.

Next we set AllowTcpForwarding to no. If this is a LAMP server we have zero need to forward TCP connections. Why even have it enabled?

Afterwards lets look at ssh keys this is great as long as you set passwords on your keys and not leave them password less. But if a attacker gets his hands on your keys he basically has your passwords ready to crack. If the keys are not protected by passwords then he has your passwords.

Keys are usually stored in the home directory of the user in the “.ssh” folder

Protocol we want to strictly use protocol 2 and not allow 1 because it is weaker and older.
 
Well thats about it. That I can think of.  Any constructive critique is greatly appreciated.


Feel free to contact me Jackie Craig Sparks at jackie.craig.sparks@gmail.com http://www.phonesnake.com 336.790.2126