Three Easy Methods to Secure SSHD

Submitted by Christopher Fluhrer on Fri, 2005-11-11 02:27

Over the past year there has been an increasing attack on OpenSSH servers thanks to some cleverly crafted scripts aimed at brute forcing their way in with commonly used passwords. I have seen thousands of foreign IP addresses hit my server in an attempt to make their way onto my system.

What can you do to better protect yourself? Here are some simple methods that anyone can implement to help secure them. There is nothing unique about the suggestions I am going to make. They can be found in any number of places but you can never hear the information enough.

First of all you want to further secure your sshd_config file. OpenSSH has done a good job on doing this for you when problems are found, but it is always good to check anyway. Sshd_config is usually found in /etc/ssh/. You will want su to root and edit this file with your favorite editor be it emacs, vi, or whatever you prefer. Now you want to scan the file for the following line:

PermitRootLogin yes

If the line says PermitRootLogin no, then you are already safe from root logins and you can skip to the next line to search for; otherwise change the yes to no. You should never log in as root in the first place. Always log in with a user account and use the su command to do anything root oriented.

Now you want to look for these lines:
# AllowUsers yourusrnames
StrictModes yes
PermitEmptyPasswords no

Make sure that they say yes for strictmode and no for the permit line. What this does is causes sshd to check file modes and ownership of the user’s files that are logged in to avoid misuse of accidentally world-writable files created by your users. PermitEmptyPasswords specifies whether the server allows login to accounts with empty password strings. The defaults should already be correct but again, always check. Never take security for granted.

Some things you can add to your sshd_conf file that might be beneficial to your security are the following lines:

AllowUsers user1 user2

DenyUsers user3 user4

If you don’t want to narrow it down to users, you can always use AllowGroups and DenyGroups.

The second method for securing your SSHD server is to utilize the hosts.allow and the hosts.deny file in your /etc directory. You can do this for a specific IP address, an entire range of addresses, and so on. Again, using your favorite editor, open each of the files and you can use the following examples as guides:

hosts.deny/hosts.allow example:
# /etc/hosts.allow
sshd: 1.2.3.0/255.255.255.0
sshd: 192.168.0.0/255.255.255.0
# /etc/hosts.deny
sshd: ALL

The final method I will cover is using the IPtables firewall to block incoming traffic to your server from unwanted locations and allow it from places you want. You will want to su to root and simply issue the commands from the example, replacing them with the addresses that you want.

Iptables example:
# All connections from address 1.2.3.4 to SSH (port 22)
iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT
# Deny all other SSH connections
iptables -A INPUT -p tcp --dport 22 -j DROP

Remember to save your changes to the configuration file.

Redhat example: /sbin/service iptables save
Debian example: /etc/init.d/iptables save

If you have used any combination of these steps or even better, used multiple methods; you can start to rest a lot easier at night knowing you are that much safer. No, you are never 100% safe, but the more you secure your system the fewer people there are with enough knowledge to do damage.