5 quick SSH hardening tips

13

Buy Website Traffic | Increase Website Traffic | SEO Backlinks | Alexa Ranking


If you make use of Secure Shell, you’ll want to run down this checklist of five quick tips to make that Linux server a bit more secure.

linuxsecurityhero.jpg

Image: Jack Wallen

If you’re a Linux administrator, more than likely you depend upon Secure Shell (SSH) for remote access to your data center or other business machines. SSH is, by design, a fairly secure protocol. However, there are ways you can make it even more secure. In fact, I have five very quick tips you can use to better lock down that SSH server. These can be done in just a few minutes.

Are you ready?

SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)

1. Set idle timeout interval

The idle timeout interval is is the amount of time in which an ssh session is allowed to sit idle. When that timeout passes, the connection is broken. Out of the box, this option is disabled. We’ll enable it and set a time out of five minutes (300 seconds). To do this, issue the command:

sudo nano /etc/ssh/sshd_config 

In this file, look for:

#ClientAliveInterval 0

Change that to:

ClientAliveInterval 300

Save and close the file. Restart the SSH server with the command:

sudo systemctl restart sshd

2. Disable empty passwords

There are some system user accounts that are created without passwords. The administrator of a Linux machine can also create standard users without passwords. Out of the box, SSH is configured such that it doesn’t prevent empty passwords from being allowed. Let’s fix that.

Open the SSH daemon configuration file again with the command:

sudo nano /etc/ssh/sshd_config

Locate the line:

#PermitEmptyPasswords no

Change that to:

PermitEmptyPasswords no

Save and close the file. Restart the SSH server with the command:

sudo systemctl restart sshd

3. Disable X11 forwarding

If you have servers with GUI interfaces, or you have desktop machines that require the usage of SSH, you should probably disable X11 forwarding. What is X11 forwarding? This allows anyone to tunnel GUI applications via SSH. The last thing you want is for a malicious user to easily view sensitive information via GUI, or exploit this already insecure feature.

To disable this feature, open the SSH daemon configuration file again with the command:

sudo nano /etc/ssh/sshd_config

Look for the line:

X11Forwarding yes

Change the above to:

X11Forwarding no

Save and close the file. Restart the SSH server with the command:

sudo systemctl restart sshd

4. Limit max authentication attempts

By setting a low threshold for login attempts, you can help prevent against brute force attacks. Open the SSH daemon configuration file again with the command:

sudo nano /etc/ssh/sshd_config

Look for the line:

#MaxAuthTries 6

Change that line to:

MaxAuthTries 3

Save and close the file. Restart the SSH server with the command:

sudo systemctl restart sshd

5. Disable SSH on desktops

If you have desktop Linux machines, you might want to consider disabling SSH. Why? What if a malicious user were to log into one of those desktop machines (because they probably have lower security than your servers) and then use that machine as a relay to gain access to your servers? You don’t want that. Period.

In fact, instead of disabling SSH, you might consider completely removing the SSH server. To do that, issue one of the following commands:

  • sudo dnf remove openssh-server – on Fedora-based systems.
  • sudo apt-get remove openssh-server – on Debian/Ubuntu-based systems.

If you don’t want to completely remove the SSH server, disable it with the commands:

sudo systemctl stop sshd
sudo systemctl disable sshd

Simple SSH security

And there you have it: Five simple (and quick) ways of gaining a bit of added SSH security on your servers and desktops. Once you’ve taken care of these steps, do not think your data center and other business servers are perfectly safe. Always be diligent and on the lookout for suspicious events via log files and other means.

Also see

Buy Website Traffic | Increase Website Traffic | SEO Backlinks | Alexa Ranking



Source link