Difference between revisions of "Increase the security of SSH"
| Line 1: | Line 1: | ||
| + | <br />This article has been created by an automatic translation software. You can view the article source [[:fr:Accroître la sécurité de SSH|here]].<br /><span data-translate="fr"></span><br /> | ||
<span data-link_translate_he_title="להגביר את האבטחה של SSH" data-link_translate_he_url="%D7%9C%D7%94%D7%92%D7%91%D7%99%D7%A8+%D7%90%D7%AA+%D7%94%D7%90%D7%91%D7%98%D7%97%D7%94+%D7%A9%D7%9C+SSH"></span>[[:he:להגביר את האבטחה של SSH]][[he:להגביר את האבטחה של SSH]] | <span data-link_translate_he_title="להגביר את האבטחה של SSH" data-link_translate_he_url="%D7%9C%D7%94%D7%92%D7%91%D7%99%D7%A8+%D7%90%D7%AA+%D7%94%D7%90%D7%91%D7%98%D7%97%D7%94+%D7%A9%D7%9C+SSH"></span>[[:he:להגביר את האבטחה של SSH]][[he:להגביר את האבטחה של SSH]] | ||
<span data-link_translate_ro_title="Creşte securitatea SSH" data-link_translate_ro_url="Cre%C5%9Fte+securitatea+SSH"></span>[[:ro:Creşte securitatea SSH]][[ro:Creşte securitatea SSH]] | <span data-link_translate_ro_title="Creşte securitatea SSH" data-link_translate_ro_url="Cre%C5%9Fte+securitatea+SSH"></span>[[:ro:Creşte securitatea SSH]][[ro:Creşte securitatea SSH]] | ||
| Line 11: | Line 12: | ||
<span data-link_translate_pt_title="Aumentar a segurança do SSH" data-link_translate_pt_url="Aumentar+a+seguran%C3%A7a+do+SSH"></span>[[:pt:Aumentar a segurança do SSH]][[pt:Aumentar a segurança do SSH]] | <span data-link_translate_pt_title="Aumentar a segurança do SSH" data-link_translate_pt_url="Aumentar+a+seguran%C3%A7a+do+SSH"></span>[[:pt:Aumentar a segurança do SSH]][[pt:Aumentar a segurança do SSH]] | ||
<span data-link_translate_es_title="Aumentar la seguridad de SSH" data-link_translate_es_url="Aumentar+la+seguridad+de+SSH"></span>[[:es:Aumentar la seguridad de SSH]][[es:Aumentar la seguridad de SSH]] | <span data-link_translate_es_title="Aumentar la seguridad de SSH" data-link_translate_es_url="Aumentar+la+seguridad+de+SSH"></span>[[:es:Aumentar la seguridad de SSH]][[es:Aumentar la seguridad de SSH]] | ||
| − | <span data- | + | <span data-link_translate_en_title="Increase the security of SSH" data-link_translate_en_url="Increase+the+security+of+SSH"></span>[[:en:Increase the security of SSH]][[en:Increase the security of SSH]] |
| − | + | Once this is possible, it is recommended to change the default identifiers and the default ports of critical services. | |
| − | |||
| − | + | About SSH, land's see some elements that will strengthen the security of this service. | |
| − | + | Dans le cadre de la rédaction de cet article, nous nous sommes basés sur une distribution de type Debian Jessie. Suivant celle en place sur votre {{Template:Serveur}}, la configuration peut être amenée à changer. Il faudra, par conséquent, adapter à vos besoins. | |
| − | + | By default, to connect in SSH, you must establish a connection on port 22. Change this port can already protect you from many attacks by brute-force. | |
| + | Si vous souhaitez utiliser SSH sur un autre port que celui par défaut, il vous faudra donc modifier ''Port 22'' par ''Port 55555'' in the file ''/etc/ssh/sshd_config''. | ||
| − | |||
| − | + | In order to make brute-force attacks less effective, you can also disable SSH connection through the root account. It will therefore have one user other than the default account and proceed with an elevation of privileges from this account to have administrator rights. | |
| − | + | On va donc passer l'option associée de ''PermitRootLogin yes'' à ''PermitRootLogin no'' et déclarer les utilisateurs autorisés à se connecter. Pour autoriser l'utilisateur ''ikoula'' à se connecter in SSH, il faudra donc ajouter la ligne suivante in the file de configuration : ''AllowUsers ikoula'' | |
| − | + | Si au delà de deux minutes les informations de connexion ne sont pas saisies lors d'une connexion en SSH à votre {{Template:Serveur}}, la connexion est coupée. | |
| + | This period may be revised downward (following the latency and the stability of your connection, of course). | ||
| + | Trente secondes peuvent être suffisantes. Afin de modifier cette valeur, nous allons modifier le paramètre ''LoginGraceTime''. | ||
| + | Nous allons donc maintenant modifier la ligne ''LoginGraceTime 120'' par ''LoginGraceTime 30'' dans le fichier ''/etc/ssh/sshd_config''. | ||
| − | + | We will now change the algorithms used by SSH to limit usage to some by adding two additional lines in the SSH service configuration file : | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | We will now | ||
<code> | <code> | ||
| Line 51: | Line 48: | ||
| − | Debian by default always adds a character string to the SSH banner. To put it simply, if | + | Debian by default always adds a character string to the SSH banner. To put it simply, if perform you a telnet to your {{Template:Serveur}} (Telnet IP_SERVER 22), here's what you get : |
<code> | <code> | ||
| Line 58: | Line 55: | ||
| − | So let's turn this behavior | + | So let's turn off this behavior in order to no longer display the name of our distribution : |
<code> | <code> | ||
| Line 65: | Line 62: | ||
| − | Now, let's get this | + | Now, let's get this : |
<code> | <code> | ||
| Line 72: | Line 69: | ||
| − | + | Changes are complete, so let's restart the service for the changes to be effective : | |
<code> | <code> | ||
| Line 79: | Line 76: | ||
| − | + | You can also implement the restriction by IP address for your SSH service (If your {{Template:Serveur}} is not already behind a firewall for example or your iptables rules do not already the necessary). | |
| − | We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses | + | We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses : |
<code> | <code> | ||
| Line 91: | Line 88: | ||
| − | Thus, only the IP addresses | + | Thus, only the IP addresses ''12.34.56.78'' et ''98.76.54.32'' will be allowed to connect to vote {{Template:Serveur}} en SSH (Replace with the appropriate, IP addresses of course). |
| − | Alternatively, you can implement authentication by | + | Alternatively, you can implement authentication by Exchange of keys if you wish. |
[[Category:Dedicated_server]] | [[Category:Dedicated_server]] | ||
[[Category:Linux]] | [[Category:Linux]] | ||
| − | |||
<br /> | <br /> | ||
<comments /> | <comments /> | ||
Revision as of 16:24, 8 February 2017
This article has been created by an automatic translation software. You can view the article source here.
he:להגביר את האבטחה של SSH
ro:Creşte securitatea SSH
ru:Повысить безопасность SSH
pl:Zwiększenie bezpieczeństwa SSH
ja:SSH のセキュリティを高める
ar:زيادة أمان SSH
zh:提高 SSH 的安全性
de:Erhöhen Sie die Sicherheit von SSH
nl:Verhoging van de veiligheid van SSH
it:Aumentare la sicurezza di SSH
pt:Aumentar a segurança do SSH
es:Aumentar la seguridad de SSH
en:Increase the security of SSH
Once this is possible, it is recommended to change the default identifiers and the default ports of critical services.
About SSH, land's see some elements that will strengthen the security of this service.
Dans le cadre de la rédaction de cet article, nous nous sommes basés sur une distribution de type Debian Jessie. Suivant celle en place sur votre Server, la configuration peut être amenée à changer. Il faudra, par conséquent, adapter à vos besoins.
By default, to connect in SSH, you must establish a connection on port 22. Change this port can already protect you from many attacks by brute-force.
Si vous souhaitez utiliser SSH sur un autre port que celui par défaut, il vous faudra donc modifier Port 22 par Port 55555 in the file /etc/ssh/sshd_config.
In order to make brute-force attacks less effective, you can also disable SSH connection through the root account. It will therefore have one user other than the default account and proceed with an elevation of privileges from this account to have administrator rights.
On va donc passer l'option associée de PermitRootLogin yes à PermitRootLogin no et déclarer les utilisateurs autorisés à se connecter. Pour autoriser l'utilisateur ikoula à se connecter in SSH, il faudra donc ajouter la ligne suivante in the file de configuration : AllowUsers ikoula
Si au delà de deux minutes les informations de connexion ne sont pas saisies lors d'une connexion en SSH à votre Server, la connexion est coupée.
This period may be revised downward (following the latency and the stability of your connection, of course).
Trente secondes peuvent être suffisantes. Afin de modifier cette valeur, nous allons modifier le paramètre LoginGraceTime.
Nous allons donc maintenant modifier la ligne LoginGraceTime 120 par LoginGraceTime 30 dans le fichier /etc/ssh/sshd_config.
We will now change the algorithms used by SSH to limit usage to some by adding two additional lines in the SSH service configuration file :
echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
echo "MACs hmac-ripemd160" >> /etc/ssh/sshd_config
Debian by default always adds a character string to the SSH banner. To put it simply, if perform you a telnet to your Server (Telnet IP_SERVER 22), here's what you get :
SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
So let's turn off this behavior in order to no longer display the name of our distribution :
echo "DebianBanner no" >> /etc/ssh/sshd_config
Now, let's get this :
SSH-2.0-OpenSSH_6.7p1
Changes are complete, so let's restart the service for the changes to be effective :
systemctl restart ssh.service
You can also implement the restriction by IP address for your SSH service (If your Server is not already behind a firewall for example or your iptables rules do not already the necessary).
We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses :
echo "sshd: ALL" >> /etc/hosts.deny
echo "sshd: 12.34.56.78, 98.76.54.32" >> /etc/hosts.allow
Thus, only the IP addresses 12.34.56.78 et 98.76.54.32 will be allowed to connect to vote Server en SSH (Replace with the appropriate, IP addresses of course).
Alternatively, you can implement authentication by Exchange of keys if you wish.
Enable comment auto-refresher