SSH Security Ramblings

SSH – Secure Shell isn’t that secure. If you’re not using it behind a Layer 7 firewall or an enhanced security daemon like cPanel’s cPHulk or even just the default config isn’t secure.

What can you do?

First we can look at the default config that comes with certain Linux versions.

Use /etc/hosts.allow and /etc/hosts.deny to determine at a basic level who can and can’t access your server. Perfect if you always use the same IPs to connect to your server.

If your IP changes then /etc/hosts.allow and /etc/hosts.deny aren’t much use. Consider using Public/Private Key Pairs and/or disabling root access. If  you can’t do either, consider using secure passwords that cannot be brute forced. 8 plus characters, mixed-case & alpha numeric.

Better still, you can use IP Tables to permit/deny access to port 22

Root access isn’t allowed by default in some versions of Linux that make heavy use of sudo, such as Ubuntu.

We use a lot of CentOS servers where root is allowed. Cosinder changing #PermitRootLogin yes in your sshd_config config file.

Run an enhanced security daemon like cPanel’s cPHulk? Or BFD from R-FX Networks. BFD is a modular shell script for parsing application logs and checking for authentication failures.

Make sure you only using version 2 of the protocol.  Protocol 2 in sshd_config

Got a server with multiple IPs? Consider listening on a single IP that isn’t your web or FTP server. Use ListenAddress 0.0.0.0 in your sshd_config. This is a requirement if you are aiming for PCI compliance.

Other thoughts? Security through obsecurity? Change the default port? Change #Port 22 in your config.

Author: Kieran Barnes

Kieran is a PHP developer with 15 years commercial experience. Specialist in WordPress, CakePHP, CubeCart and all things PHP.

1 thought on “SSH Security Ramblings”

Comments are closed.