Beruflich Dokumente
Kultur Dokumente
7/9/12 7:23 PM
About
Forum
Howtos & FAQs
Low graphics
Shell Scripts
RSS/Feed
Debian / Ubuntu Linux user can disable and remove the same with apt-get command:
# apt-get remove openssh-server
You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables.
Once done restart iptables service:
# service iptables restart
# service ip6tables restart
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 1 of 10
7/9/12 7:23 PM
Above is standard sample, consult your legal team for exact user agreement and legal notice details.
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 2 of 10
7/9/12 7:23 PM
Output:
uw8CnDVMwC6vOKgW
See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems.
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 3 of 10
7/9/12 7:23 PM
Iptables Example
The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:
1.
2.
3.
4.
5.
6.
#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent
--set
--update --seconds 60 --hitco
Call above script from your iptables scripts. Another config option:
1.
2.
3.
4.
5.
$IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst
$IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute -
*BSD PF Example
The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our
rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which
originate from the host which exceeds these limits.
1.
2.
3.
4.
sshd_server_ip="202.54.1.5"
table <abusive_ips> persist
block in quick from <abusive_ips>
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate
$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2
$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven
$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 4 of 10
12.
13.
14.
15.
16.
7/9/12 7:23 PM
Other Options
To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no
159
11
Like
90
StumbleUpon
Featured Articles:
20 Linux System Monitoring Tools Every SysAdmin Should Know
20 Linux Server Hardening Security Tips
Linux: 20 Iptables Examples For New SysAdmins
My 10 UNIX Command Line Mistakes
25 PHP Security Best Practices For Sys Admins
The Novice Guide To Buying A Linux Laptop
Top 5 Email Client For Linux, Mac OS X, and Windows Users
Top 20 OpenSSH Server Best Security Practices
Top 10 Open Source Web-Based Project Management Software
{ 117 comments read them below or add one }
Previous Comments
101 MetroMagz December 1, 2011 at 2:37 pm
You could disable it and run as the another account which that account has same permit as root account, thats what i do on my server.
This tutorial very useful as the sysadmin.
102 Siddharth December 12, 2011 at 7:13 pm
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 5 of 10
7/9/12 7:23 PM
hey, Vivek,
thank you for this excellent post.
I have a query
Is it possible to block multiple ssh logins from a single client pc?
i mean, a single client must be allowed to run only one ssh sessionat any given time.
If it helps, my server is debian and client is ubuntu
103 Henry Paul December 30, 2011 at 6:00 am
There is another solution to root auditing and login. We use root login with without-password option so key login is allowed remotely, password is denied. Then we
configured EASH shell for session logging on our jump server and restrict ssh logins via jump server. Basically the entire ssh session is logged to a remote server for
future auditing, and we still have a more convenient access to the system for running automated scripts, etc.
104 MUNIKRISHNAN.M January 9, 2012 at 6:12 am
this details are very help full Linux learner and working system admins
thank you
105 Andrew Bruce January 19, 2012 at 12:59 am
One technique I like to use is to have local, low-priv accounts used for SSH access on a nicen'empty box. This in conjunction with TCP forwarding allows me to let
users in (no passwords, of course, just PK authentication) and then chroot the users to lock them in their current dir. That minimizes zero-day risk cuz the SSH users
have no privs on the domain, network, or anything elsethey are simply placeholders to allow TCP port forwarding to be setup. Users setting up tunnels to real
servers get prompted with our strong two-factor authentication so we have the best of both worlds.
VPN would be fine but it is very slow compared to SSH. No, this is *not* due to protocol (Ive timed VPN and SSH and there is no detectable difference in
throughput). It is instead due to the edge firewalls that trap / track all VPN traffic and the shitty VPN clients the organization wants us to use.
To sum up: keep your SSH server clean of all other software, use local low-priv user accounts, use only PK for authentication, maybe tie in IP filtering to prevent
hackers from even knowing about your listening port. Port knocking is too complicated for me to explain to users, or Id be using that instead (tres kewl approach).
106 graz January 22, 2012 at 10:11 am
Im still a bit unsure about how using sudo to su is a good idea.
logon to server with regular account and bad password 12345678
sudo su12345678 and you have a root shell..
Surely to step up to the root user from a regular account you should be issuing a separate password. I see the thought behind protecting the root password by never
having to type it and no one having to know it, but with sudo su someone can gain root without the root pw anyway, so whats the point of protecting it if its not
needed anyway.
Just my 2 cents anyway..
107 precious March 27, 2012 at 4:31 pm
Hello I want to know if the SSH can work with Window i have bitvise Tunnelier I want to know how i can work with it can if you can help me with host usename
and pasword. hope to hear from you very soon
108 Andrey March 29, 2012 at 4:26 am
Thank You!
109 AnomyII April 15, 2012 at 5:33 pm
Wow, default Googly searches should have a date filter, since everything is on the indelible web, that it resurrected such an old post as first hit? OK fine Ill play
While anomie might be offended by a few f**ks and god****ns where *HES* from, I live in NYC and F**K! is no more a curse word than OW! or CUT IT OUT!
people do not even bother stopping their 4 year olds from saying it. Its lost all vulgarity here, and is completely acceptable in the business world too, well unless
youre doing I.T. work for a church organization. Maybe.
The point is, you say you dont listen because you feel cussing is childish, Id like to point out that good information is good information no matter how its
delivered. Censoring someone elses speech because it offends you? So when did you join the Republican party?
PS: Your reference is a bit dated, mate. Sailor? Who the hell sails anymore besides the Chinese? Im guessing youve never been in a dockside bar anyway, since that
world must offend your sensibilities! (Im kidding) You want to hear a stream of profanity to make that proverbial sailor blush, engage an NYPD officer in
conversation. :)
----
I would also like to point out that #10, random password example, that your script only uses A-Z, a-z, 0-9 while uw8CnDVMwC6vOKgW is pretty complex for
a brute force attempt on a connection-limited server, that could be brute forced in our everyone has <50Mbit connections" world very quickly, where the addition of
even a single ! or ? would send the brute force routine's runtime an order of magnitude higher.
It's a moot point anyway, NO ONE is going to memorize a random password. It's a Bad Idea(TM). If they bothered memorizing a random string, chances are that
after they did so, they would n e v e r change it, and what's worse in this scenario? If you're this paranoid about security, you're a canidate for a one-time-password
setup and a SecurID key fob.
110 Skaperen April 16, 2012 at 7:41 pm
I dont agree with There is no need to login as root via ssh over a network but neither do I agree with Bobs reasoning, either. The argument I heard was it allowed
each admin to have their own root login, and avoided everyone having to get a new shared root password when one of them leaked or quit. But SSH keys, which are
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 6 of 10
7/9/12 7:23 PM
more secure, avoided that. So I disallow PASSWORD access to root and require keys only.
Logging directly in as root has advantages, like making sure rsync-over-ssh can back up the system when it originates from the backup servers.
111 undermined April 26, 2012 at 4:29 pm
In my opinion it comes down to knowing what you are trying to protect. If your system needs any level of protection, then you need full auditability. Remote logins
directly to the root user (or any other privileged user) prevent adequate accountability. Yes, one can argue that PK authentication is stronger than PW authentication
but Ive never known a user to change the PK, whereas all of my users are required to change their passwords regularily. We all know that security is a process and
that having layers is an important aspect of defending a system from the onslaught of attacks out there (and the new ones coming out hourly). It is much harder for a
server to verify that the PK used to authenticate is pass-phrase protected; this is where the last argument breaks down for me. As someone who is responsible for the
security of a server, I cant control what tools or configurations the client-side has/uses. I agree that allowing admins to login and sudo su - using their own
passwords is a convenience and an attempt at balancing the use of the root password. We do many things in my environment, which is fairly large (over 6,500
midrange systems): 1. We have a local, non-privileged account to allow remote SSH logins when LDAP/Kerberos are unavailable. 2. We limit the use of the su
binary to members of a specific group (root:trusted, 4550). 3. The account listed in #1 is a member of the appropriate group so that it can execute the su binary. 4.
All admins have to change their passwords at least every 30 days. 5. All non-admins have to change their passwords at least every 90 days. 6. All password changes
are verified through crack to ensure strong password are selected. 7. We use TCPWrappers to limit the connectivity to the servers from specific SSH gateway
servers for regular users. We allow admins to connect directly because we have a dedicated subnet on the LAN where the admins workstations are, inside a locked
room with physical access controls. 8. We run auditd on the SSH gateway servers to log all commands. We run auditd on the servers to log all root commands that
have an assigned terminal (only some systems, especially regulated systems, require logging all commands, including those without an assigned terminal, such as
cron jobs, etc). 9. Physical access to the raised-floor is limited. 10. Access to the serial console is done through an iLO connection with authentication to the Active
Directory system so root logins on the console are still attributable to an individual (and one from a different authentication subsystem). 11. All logs are centralized
to log proxy servers and then forwarded to an appliance that ensures 2 years of off-site, non-modifiable logs.
When we patch our systems (roughly 1 admin to 350-400 systems), we use tools for doing this efficiently. We do not expect an admin to login to each server
manually and run a command, either as the root user directly or by use of sudo su -. This just wouldnt work in a large environment. The use of tools for this specific
purpose, and one that is done monthly at that, was well justified. It just doesnt make sense to use the patching need to justify the lessening of the security posture,
especially in a large environment, where the purchase of a tool is more efficient, doesnt require the lessening of security, and has a faster ROI, especially in a large
environment.
If you dont know what you are trying to secure, and you cant account for every action on the host, then you ultimately dont have adequate security, imho. There
are definately some challenges that arise in larger environments that home operations dont usually encounter but you are also far more likely to need a stronger
security posture in said larger environment than in the home operation.
Two-factor authentication is your friend, as is education and enforcement, where possible, such as with pam_crack to ensure strong passwords.
Just my $0.02
112 Lucas Dohring April 28, 2012 at 9:15 pm
An alternative for generating passwords is:
alias genpasswd='dd if=/dev/urandom count=1 bs=$1 2> /dev/null | ascii85 -n'
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 7 of 10
7/9/12 7:23 PM
You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title="">
Notify me of followup comments via e-mail.
Security Question:
What is 10 + 10 ?
Solve the simple math so we know that you are a human and not a bot.
Submit
Tagged as: /etc/rssh.conf, /etc/ssh/sshd_conf, openssh, openssh brute Force Attack, openssh security, ssh server security, sshd, sshd check error, sshd chroot, sshd Chroot Directory, sshd stop Brute Force Attack
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 8 of 10
7/9/12 7:23 PM
nixCraft on Facebook
Like
22,054 people like nixCraft.
Citra
Virendra
Delfryanto Muhammad
Hirzan
Bhargav
Geno
Related Posts
Happy 8th Birthday, OpenSSH!
Download of the Day: OpenSSH Server 5.0 ( security fix release )
Download Of The Day: OpenSSH 5.1
Secure communication with Kerberized OpenSSH on AIX using Windows Kerberos service
Howto improve ssh session performance by reusing an existing connection to a remote openssh server
2004-2012 nixCraft. All rights reserved. Cannot be reproduced without written permission.
Privacy Policy | Terms of Service | Questions or Comments | Copyright Info | Sitemap
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
Page 9 of 10
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
7/9/12 7:23 PM
Page 10 of 10