Securing SSH:
Protocol 1 should be disabled, and SSH should be set to disallow password authentication, only allowing authentication via keyfiles. You must generate keyfiles on the remote systems that will be used to connect.
Edit /etc/ssh/sshd_config and make the following changes:
Protocol 2 PasswordAuthentication no AllowUsers username
Reference: http://wiki.centos.org/HowTos/Network/SecuringSSH
Change SSH to a non-standard port:
While this does not provide security in itself, many hacking tools automatically check port 22, so it can provide at least another layer of security by changing the port to a non-standard port. To do this, you must edit the /etc/ssh/sshd_config file and change “Port” to another number, like so:
Port 887
The firewall must also be changed to allow connection to the non-standard port:
IP range access:
iptables -A INPUT -p tcp --destination-port 887 -m iprange --src-range 1.1.50.0-1.1.50.255 -j ACCEPT
Specific IP Access:
iptables -A INPUT -p tcp --destination-port 887 -s 1.1.50.1 -j ACCEPT
SSH also natively supports TCP wrappers and access to the ssh service may be similarly controlled using hosts.allow and hosts.deny.
If you are unable to limit source IP addresses, and must open the ssh port globally, then iptables can still help prevent brute-force attacks by logging and blocking repeated attempts to login from the same IP address:
iptables -A INPUT -p tcp --dport 887 -m recent --set --name ssh --rsource iptables -A INPUT -p tcp --dport 887 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT
The first rule records the IP address of each attempt to access port 887 using the recent module. The second rule checks to see if that IP address has attempted to connect 4 or more times within the last 60 seconds, and if not then the packet is accepted. Note this rule would require a default policy of DROP on the input chain.
Here’s another example, this time using iptables limit module to limit the the number of connections to the ssh port to 3 per minute:
iptables -A INPUT -p tcp --dport 887 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT iptables -A INPUT -p tcp --dport 887 --syn -j DROP
FINALLY, to save, type the following. This saves it to /etc/sysconfig/iptables.
service iptables save
Generate keyfiles to secure SSH on Mac OS X:
Run the following in Terminal:
ssh-keygen -t rsa -C "comment"
This will prompt for a location to save the file; the default location is in the .ssh folder in the user home directory. You will have the option to set a password for the keyfile.
Copy the pub file to the .ssh/authorized_keys file in the user home folder on the remote computer.
Then, in ~/.ssh/authorized keys added the text of id_rsa.pub. This is actually in the home directory of username, but it works anyway.
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
Generate keyfiles to secure SSH on Windows:
Download the full PuTTY package. Use PuTTYGen to generate a DSA keyfile.
When completed, save the private keyfile — you will use this when connecting to the server using PuTTY. Also, in the PuTTYGen window, copy the text that says it is the “Public key for pasting into OpenSSH authorized_keys file,” and paste this into authorized_keys on the remote server.
Leave a Reply