SSH hardening on Linux Servers

SSH server configuration file is located in /etc/ssh/sshd_conf. You need to restart the SSH service after every change you make to that file in order for changes to take effect.

Change SSH listening port

By default, SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It’s wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don’t scan high ports.

Open the /etc/ssh/sshd_config file and look for the line that says:

Port 22

Change the port number and restart the SSH service:

/etc/init.d/ssh restart

 Allow only SSH protocol 2

There are two versions of the SSH protocol. Using SSH protocol 2 only is much more secure; SSH protocol 1 is subject to security issues including man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and look for the line that says:

Protocol 2,1

Change the line so it says only protocol 2.

 Allow only specific users to log in via SSH

You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:

PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it’s in the wheel group, so that you can switch to superuser.

If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let’s say I want to allow users alex, shaun, and pete to log in via SSH.

At the end of sshd_config file  add a line like this:

AllowUsers  alex shaun pete

Create a custom SSH banner

If you would like any user who connects to your SSH service to see a specific message, you can create a custom SSH banner. Simply create a text file (in my example in /etc/ssh-banner.txt) and put any kind of text message in it; for example:

*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *

When done editing, save the file. In the sshd_conf file, find a line that says:

#Banner /etc/

Uncomment the line and change the path to your custom SSH banner text file.

Using DSA public key authentication

Instead of using login names and passwords for SSH authentication, you can use DSA public keys for authentication. Note that you can have both login names and DSA public key authentication enabled at the same time. Having a DSA public keys authentication enabled makes your system bulletproof against dictionary attacks, because you don’t need a login name and password to log in into SSH service.

Instead, you need a pair of DSA keys — one public and one private. You keep the private key on your machine and copy the public key to the server. When you want to log in to an SSH session, the server checks the keys, and if they match, you are dropped into the shell. If the keys don’t match, you are disconnected.

In this example the private machine  is station1 and the server machine is server1. On both machines I have the same home folder; this won’t work if the home folders are different on client and server machine. First you need to create a pair of keys on your private machine with the command

~$ ssh-keygen -t dsa.

You’ll be prompted for a pass-phrase for your private key, but you can leave it blank because this is not a recommended method. A key pair is generated: your private key is located in ~/.ssh/id_dsa and your public key is located in .ssh/

Next, copy the contents of ~/.ssh/ to server1 into the ~/.ssh/authorized_keys file.

If the file ~/.ssh/authorized_keys already exists, append the contents of the file ~/.ssh/ to the file ~/.ssh/authorized_keys on server1. The only thing left to do is to set the correct permissions of ~/.ssh/authorized_keys file on server1:

~$ chmod 600 ~/.ssh/authorized_keys

Now, configure the sshd_conf file to use the DSA keys authentication. Make sure you have the following three lines uncommented:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Restart the service. If you configured everything correctly, you should now be able to SSH to your server and fall directly into your home folder without any interaction.

If you would like to use DSA authentication only, make sure you uncomment and change the PasswordAuthentication line in sshd_config from yes to no:

PasswordAuthentication no

If anyone tries to connect to your SSH service and doesn’t have a public key on the server, he will be rejected without even seeing the login prompt with this error:

Permission denied (publickey).

Using TCP wrappers to allow only specific hosts to connect

This approach is useful if you would like to allow only specific hosts on a network to be able to connect to your SSH service, but you don’t want to use or mess up your iptables configuration. Instead, you can use TCP wrappers; in this case the sshd TCP wrapper.

For E.g.  make a rule to allow only hosts on local subnet and remote host to connect to  SSH service.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. Create a rule like this in /etc/hosts.deny:

sshd: ALL

This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.

Next, create a rule in /etc/hosts.allow to allow only specific hosts  to use the SSH service:

sshd: 192.168.1

Now only hosts from the network and the host can access the SSH service. All other hosts are disconnected before they even get to the login prompt, and receive an error like this:

ssh_exchange_identification: Connection closed by remote host

Using iptables to allow only specific hosts to connect

An alternative to TCP wrappers  is limiting SSH access with iptables. Here’s a simple example of how you can allow only a specific host to connect to your SSH service:

~# iptables -A INPUT -p tcp -m state –state NEW –source –dport 22 -j ACCEPT

And make sure no one else has access to SSH service:

~# iptables -A INPUT -p tcp –dport 22 -j DROP

Save your new rules and you’re all done.

 SSH time-lock tricks

You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -j DROP

In  second example, iptables are set to allow only host to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp -s -m state –syn –state NEW –dport 22 -j DROP


About Manish Jha

Hi All I am Manish Kumar Jha aka Alex Hunt. I am currently working in VMware Software India Pvt Ltd as Operations System Engineer (vCloud Air Operations). I have around 5 Years of IT experience and have exposure on VMware vSphere, vCloud Director, RHEL and modern data center technologies like Cisco UCS and Cisco Nexus 1000v and NSX. If you find any post informational to you please press like and share it across social media and leave your comments if you want to discuss further on any post. Disclaimer: All the information on this website is published in good faith and for general information purpose only. I don’t make any warranties about the completeness, reliability and accuracy of this information. Any action you take upon the information you find on this blog is strictly at your own risk. The Views and opinions published on this blog are my own and not the opinions of my employer or any of the vendors of the product discussed.
Aside | This entry was posted in Linux/CentOS. Bookmark the permalink.

4 Responses to SSH hardening on Linux Servers

  1. I have previously been examinating away some of your tales and it really is quite excellent stuff. I will certainly bookmark your weblog.


  2. Pingback: bottes grises compensées

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s