Often I am required required to run a public ssh server, so its a good idea to restrict the OpenSSH server as much as possible.
While this post does not cover all possible methods of securing the OpenSSH server, but still it can do so to a great extent.
Firewall, TCP Wrappers and Denyhosts
For my servers which are a part of corporate network or in data centres, there always is a firewall as an external interface. But still I run my own IPTables firewall in case of linux systems.
When I have to keep ssh access only within the local subnet and not to the outside world, I use the following IPtables rule to restrict ssh access to local subnet only:
iptables -A INPUT -s ! 192.168.2.0/255.255.255.0 -p tcp -m tcp –dport 22 -j REJECT –reject-with-icmp-port–unreachable
For public ssh servers if I know the clients beforehand I use similar rules and also limit the number of simultaneous connections to the port on which OpenSSH is running:
For doing the similar task, TCP Wrappers can also be used (/etc/hosts.allow and /etc/hosts.deny files). But I usually install a beautiful piece of software called DenyHosts on my SSH servers and leave updating the /etc/hosts.deny files to it.
Use a different port
Make your SSH server listen on any port other than the default port 22.
Using Public Key Authentication instead of Passwords
After the basic trust relationship is setup password authentication can be locked by
passwd -l user01
Restrict the use of passwordless keys
Options can be added to the authorized-keys file which can restrict the source of connection and also the command which can be executed by that connection.
[ajitabhp@qemu-fc5 .ssh]$ cat ./authorized_keys from=”qemu-openbsd.ajitabhpandey.info”,command=”/usr/bin/df -k” ssh-dss AAAAB3NzaC1kc3MAAACBANh+D/qS2BYH2fJz9IPUZ6HNOs+doc+pPNBMU9TIaBv+q83rLvA3SQwABKrtGJHWDpaZd8E2exvYlbeOuooQRxRBklNfYMVgw4E3CBAF64Y8YRuirWYm/sPb1DVIdZiwnZlP251AH+BbUFleJiJ9/ywBoMUBeZaAXxQh1Wvza+w9AAAAFQC0yx3wiLyuR4bbgTfomVjiAGX4NwAAAIASNBSCRkDJQjxJhw39FePlaFZD2dK+T/LvNRaRCDsHq5GIL7iXBEYw1j7bsSazW93iwmlLeGT086G+SBWj054ukGEUAvwEVtEzldr4b/8HRNBBlG7ATBrEo+yeocHEP9V3kRwokNcXv72+7zR9AobdunyeOkQytaUZtK+O+WYHAwAAAIEAhR9WXMgPuNyTInB3hE9hZ+O0uWWr6lp4ofsn11dwRz0YrpHWosdLTNgPrSkYnS0jyhIAOBOAjHGQ+cEPJ4gt8uEWZ8ISeXIA6WTio3UbIbBp9+sdbTVPJ81M8QXoOTRLA0zT7vRxCmda7bjpO/ujd85AA7+CAKtY8+iNmWcoN5k= user01@localhost
Here are some useful options for the OpenSSH Server configuration file:
LogLevel INFO UsePrivilegeSeperation yes Protocol 2 PermitRootLogin without-password or PermitRootLogin no StrictMode yes VerifyReverseMapping yes AllowTcpForwarding no X11Forwarding no IgnoreRhosts yes HostbasedAuthentication no RhostsAuthentication no RhostsRSAAuthentication no