Tightening up OpenSSH

Posted on March 29, 2009 by Ajitabh

Often I am required required to run a public ssh server, so its a good idea to restrict the OpenSSH server as much as possible.

While this post does not cover all possible methods of securing the OpenSSH server, but still it can do so to a great extent.

Firewall, TCP Wrappers and Denyhosts

For my servers which are a part of corporate network or in data centres, there always is a firewall as an external interface. But still I run my own IPTables firewall in case of linux systems.
When I have to keep ssh access only within the local subnet and not to the outside world, I use the following IPtables rule to restrict ssh access to local subnet only:

iptables -A INPUT -s ! 192.168.2.0/255.255.255.0 -p tcp -m tcp –dport 22 -j REJECT –reject-with-icmp-port–unreachable

For public ssh servers if I know the clients beforehand I use similar rules and also limit the number of simultaneous connections to the port on which OpenSSH is running:
For doing the similar task, TCP Wrappers can also be used (/etc/hosts.allow and /etc/hosts.deny files). But I usually install a beautiful piece of software called DenyHosts on my SSH servers and leave updating the /etc/hosts.deny files to it.

Use a different port

Make your SSH server listen on any port other than the default port 22.

Using Public Key Authentication instead of Passwords

After the basic trust relationship is setup password authentication can be locked by
passwd -l user01

Restrict the use of passwordless keys

Options can be added to the authorized-keys file which can restrict the source of connection and also the command which can be executed by that connection.

[ajitabhp@qemu-fc5 .ssh]$ cat ./authorized_keys
from=”qemu-openbsd.ajitabhpandey.info”,command=”/usr/bin/df -k” ssh-dss AAAAB3NzaC1kc3MAAACBANh+D/qS2BYH2fJz9IPUZ6HNOs+doc+pPNBMU9TIaBv+q83rLvA3SQwABKrtGJHWDpaZd8E2exvYlbeOuooQRxRBklNfYMVgw4E3CBAF64Y8YRuirWYm/sPb1DVIdZiwnZlP251AH+BbUFleJiJ9/ywBoMUBeZaAXxQh1Wvza+w9AAAAFQC0yx3wiLyuR4bbgTfomVjiAGX4NwAAAIASNBSCRkDJQjxJhw39FePlaFZD2dK+T/LvNRaRCDsHq5GIL7iXBEYw1j7bsSazW93iwmlLeGT086G+SBWj054ukGEUAvwEVtEzldr4b/8HRNBBlG7ATBrEo+yeocHEP9V3kRwokNcXv72+7zR9AobdunyeOkQytaUZtK+O+WYHAwAAAIEAhR9WXMgPuNyTInB3hE9hZ+O0uWWr6lp4ofsn11dwRz0YrpHWosdLTNgPrSkYnS0jyhIAOBOAjHGQ+cEPJ4gt8uEWZ8ISeXIA6WTio3UbIbBp9+sdbTVPJ81M8QXoOTRLA0zT7vRxCmda7bjpO/ujd85AA7+CAKtY8+iNmWcoN5k= user01@localhost

OpenSSH Options

Here are some useful options for the OpenSSH Server configuration file:

LogLevel INFO
UsePrivilegeSeperation yes
Protocol 2
PermitRootLogin without-password or PermitRootLogin no
StrictMode yes
VerifyReverseMapping yes
AllowTcpForwarding no
X11Forwarding no
IgnoreRhosts yes
HostbasedAuthentication no
RhostsAuthentication no
RhostsRSAAuthentication no
This entry was posted in FLOSS, Security and tagged , . Bookmark the permalink.

1 Response to Tightening up OpenSSH

  1. balu says:
    August 11, 2012 at 9:55 pm

    wow! denyhosts is cool..
    apart from that, Cipher and CompressionLevel are two important options that surely need to be mentioned given the context of the post..

    pl write more 🙂

    Reply

Leave a Reply