Securing an OpenSSH server

For a while I’ve been running a publicly accessible OpenSSH server. The server needed to be secure and the server was under brute force attack (as most public ssh servers are). I wanted to make sure the server remained secure so I took some additional measures security measures.

Firstly, I looked up the settings within the server configuration file using the UNIX command “man”. This lead me to two important options for sshd_config. The first is AllowUsers and the second is PermitRootLogin.

AllowUsers defines which users are permitted to login via ssh. Most login attempts which are based on brute force tactics use common usernames and service usernames. Setting this option up means that login to service accounts is not possible (if for whatever reason they have a password) and means that if you have user accounts which you don’t want being used remotely then you can prevent them from doing so. The list of usernames is space delimited.

AllowGroups is a similar setting which uses groups rather than users. You could create a group, such as RemoteUsers and add all users which need access access to the group. This could be useful if you have a large number of user accounts which you want to give SSH access to but don’t want to manage the users via the sshd_config file. As I only have a few users, I didn’t use this setting.

PermitRootLogin defines if root is allowed to login over ssh or not. I don’t like having root accessible over ssh, and it’s not necessary in my opinion. So I set the option to no (in fact root login is disabled entirely but that’s another story).

Next, I setup permissions on my home folder, by default the folder is world readable, this isn’t a very secure setup as if one account is compromised they can few all files and folders of the other users. I set the folder to be user readable and writable only. This allowed me to enable Public Key login, which is more secure than password based logon and allows for additional restrictions to be placed on logins.

I wanted to ensure that users couldn’t attempt to brute force the accounts which were allowed to login in a reasonable time frame. I had heard about a program called fail2ban which will ban users for a limited amount of time after several failed login attempts, so I installed and enabled it.

As an important note, for these measures to be of any use the users must have strong passwords. A protected system with poor passwords is a far to easy target. If all your users use PublicKey authentication you can disable password based logins. To do this set PasswordAuthentication to no.

Lastly, I wanted to make sure I could monitor the system. The program called logwatch allows aggregation of log information into a readable and useful report about activity over the last 24 hours. This report allows me to monitor the system and check that there are no issues. You can setup LogWatch to mail you with the report.

Leave a Reply