isalazyadmin.net

Just a place to braindump my thoughts, talk about IT and other random stuff.

Installing and hardening the Debian SSH daemon

SSH is a remote administration tool commonly used on UNIX like operating systems. In this howto I will show you how to install the SSH daemon and harden it against some common forms of attack. For this howto I will use the Debian Linux version of SSH. If you make use of another UNIX like operating system make sure to change the paths to files accordingly. I will also use the nano text editor to change files. If you rather use another editor feel free to do so.

Installing the OpenSSH server.

First log in to your box as root and install the OpenSSH-server package. In Debian you can do this with the following command. If you already have SSH installed you can skip this step.

aptitude install openssh-server

Adding some additional security.

After the installation of the SSH daemon I usually change my system configuration so that only users in a certain group can use the su command. This is not a security measure specific to SSH but I think it is a good idea to prevent normal users from using the su command if you intend to give a lot of users shell access to your box. If you do not care about normal users being able to use su feel free to skip this step.

Open the following file ‘/etc/pam.d/su’

nano /etc/pam.d/su

Find the following line

#auth   required   pam_wheel.so

And change it to

auth   required   pam_wheel.so

Note that we only uncommented the line. Save and close the file.

SSH client configuration.

First we will make sure that the SSH client that came as a dependency of the OpenSSH server does not use the insecure SSH1 protocol to connect to remote hosts. The configuration of the SSH client is located in the following file ‘/etc/ssh/ssh_config’.

nano /etc/ssh/ssh_config

Find the following line

# Protocol 2, 1

And change it to

Protocol 2

Now save and close the file.

Configuring the SSH daemon.

Now the real work begins, we will start hardening the SSH daemon itself. but before we go to the configuration file we have some preparation to do. We will add a group to the system called ‘wheel’ historically UNIX like systems have used the wheel group for SSH access I will honor this and use the wheel group as well. We will also make the user ‘demo’ and give him rights to use SSH to login to our box. Later on we will configure the SSH daemon so that only users in the wheel group can connect through SSH.

First we will add the wheel group to our system.

groupadd wheel

Then we will add the user ‘demo’ and give it a password feel free to rename the user to whatever you prefer.

useradd demo
passwd demo

If you want to give the user a home directory and give him ownership to it do the following.

mkdir /home/demo
chown -R demo.demo /home/demo

Now we will add the user demo to the wheel group, if we do not do this the user has no rights to connect through SSH after the end of this article and will not be able to use the su command.

usermod -a -G wheel demo

Now we are ready to open the SSH daemon configuration file and make some changes to it. the configuration file is located at the following location ‘/etc/ssh/sshd_config’.

nano /etc/ssh/sshd_config

We will now limit SSH access to only the wheel group, add the following to the top of the file

# Allow only specific groups to login through SSH    
AllowGroups wheel

If you want more groups to be able to use SSH add them after wheel and separate groups with spaces.

Now find the following lines in the configuration file

# ListenAddress 0.0.0.0
LoginGraceTime 120
PermitRootLogin yes
X11forwarding yes
#Banner /etc/issue.net
UsePAM yes

And change them to the following

ListenAddress <youripaddresshere> // let SSH listen on a specific IP
LoginGraceTime 30                 // number of seconds before a session closes
PermitRootLogin no                // disables root login
X11forwarding no                  // disables GUI forwarding
Banner /etc/issue.net             // enables you to display a message to users
UsePAM no                         // disables PAM

Make sure to change ‘youripaddreshere’ with the real IP address you want the SSH daemon to listen on.

At the end of the file add the following

# Disable DNS
UseDNS no
# Disable TCP forwarding
AllowTcpForwarding no
# Set the max number authentication tries
MaxAuthTries 2

Safe and close the file.

The last thing we have to do is change the SSH banner. This is a textfile that SSH will display when users login through SSH. You might have noticed that we uncommented the line ‘Banner /etc/issue.net’ we will now change this file so that it displays a message of your preference to users that are logging in remotely.

nano /etc/issue.net

You can put any message in this file that you want, if you do not want to display a message to users keep the file empty or do not remove the ‘#’ in front of ‘Banner /etc/issue.net’. After you are done with your message save and close the file.

That.s it, the only thing left to do now is restart the SSH daemon so the changes take effect. Remember though that after you restarted SSH the root user or any other user that is not a member of the wheel group is disallowed access through SSH! To restart SSH use the following command.

/etc/init.d/ssh restart

Created by Mike