Part 6: Harden sshd

If you must expose SSH to the internet, these are some of the precautions you may take to secure sshd against attacks.

1) configure sshd

vim /etc/ssh/sshd_config
#change port to some obscure port
Port 62053
#only allow SSH2:
Protocol 2
#do not allow direct root logon:
PermitRootLogin no
#only allow one unauthenticated session at a time:
MaxStartups 2
#allow unauthenticated users to be attached for 1000 seconds (for tarpitting, should be used in conjuction with pam_faildelay.so in /etc/pam.d/sshd)
LoginGraceTime 1000
#disallow logons with passwords, only relying on ~/.authorized_keys
PasswordAuthentication no
#increase key stength:
ServerKeyBits 4096
#restrict users and group access:
AllowGroups group1
AllowUsers user1
#configure idle session timeouts
ClientAliveInterval 120
ClientAliveCountMax 0
#ignore rhost and shosts:
IgnoreRhosts yes
#disallow forwarding:
AllowTcpForwarding no
X11Forwarding no
#enable strictmode to force sshd to fail if file permissions are incorrect:
StrictModes yes

2) Configure PAM to increase the FAILDELAY so that when incorrect creds are used, the prompt to enter another password is longer than the default of ~2 seconds:

#in /etc/pam.d/sshd add the following in the auth section (below the first line):
auth        optional      pam_faildelay.so

#in /etc/login.defs for 20 seconds:
FAIL_DELAY 20

3) Although this page will grow with time, by no means is this a definitive list. Please perform further research.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: