Difference between revisions of "Increase the security of SSH"

From EN Ikoula wiki
⧼vector-jumptonavigation⧽ ⧼vector-jumptosearch⧽
 
(10 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
<span data-link_translate_fr_title="Accroître la sécurité de SSH"  data-link_translate_fr_url="Accroître la sécurité de SSH"></span>[[:fr:Accroître la sécurité de SSH]][[fr:Accroître la sécurité de SSH]]
 +
<span data-link_translate_en_title="Increase the security of SSH"  data-link_translate_en_url="Increase the security of SSH"></span>[[:en:Increase the security of SSH]][[en:Increase the security of SSH]]
 +
<span data-link_translate_es_title="Aumentar la seguridad de SSH"  data-link_translate_es_url="Aumentar la seguridad de SSH"></span>[[:es:Aumentar la seguridad de SSH]][[es:Aumentar la seguridad de SSH]]
 +
<span data-link_translate_pt_title="Aumentar a segurança do SSH"  data-link_translate_pt_url="Aumentar a segurança do SSH"></span>[[:pt:Aumentar a segurança do SSH]][[pt:Aumentar a segurança do SSH]]
 +
<span data-link_translate_it_title="Aumentare la sicurezza di SSH"  data-link_translate_it_url="Aumentare la sicurezza di SSH"></span>[[:it:Aumentare la sicurezza di SSH]][[it:Aumentare la sicurezza di SSH]]
 +
<span data-link_translate_nl_title="Verhoging van de veiligheid van SSH"  data-link_translate_nl_url="Verhoging van de veiligheid van SSH"></span>[[:nl:Verhoging van de veiligheid van SSH]][[nl:Verhoging van de veiligheid van SSH]]
 +
<span data-link_translate_de_title="Erhöhen Sie die Sicherheit von SSH"  data-link_translate_de_url="Erhöhen Sie die Sicherheit von SSH"></span>[[:de:Erhöhen Sie die Sicherheit von SSH]][[de:Erhöhen Sie die Sicherheit von SSH]]
 +
<span data-link_translate_zh_title="提高 SSH 的安全性"  data-link_translate_zh_url="提高 SSH 的安全性"></span>[[:zh:提高 SSH 的安全性]][[zh:提高 SSH 的安全性]]
 +
<span data-link_translate_ar_title="زيادة أمان SSH"  data-link_translate_ar_url="زيادة أمان SSH"></span>[[:ar:زيادة أمان SSH]][[ar:زيادة أمان SSH]]
 +
<span data-link_translate_ja_title="SSH のセキュリティを高める"  data-link_translate_ja_url="SSH のセキュリティを高める"></span>[[:ja:SSH のセキュリティを高める]][[ja:SSH のセキュリティを高める]]
 +
<span data-link_translate_pl_title="Zwiększenie bezpieczeństwa SSH"  data-link_translate_pl_url="Zwiększenie bezpieczeństwa SSH"></span>[[:pl:Zwiększenie bezpieczeństwa SSH]][[pl:Zwiększenie bezpieczeństwa SSH]]
 +
<span data-link_translate_ru_title="Повысить безопасность SSH"  data-link_translate_ru_url="Повысить безопасность SSH"></span>[[:ru:Повысить безопасность SSH]][[ru:Повысить безопасность SSH]]
 +
<span data-link_translate_ro_title="Creşte securitatea SSH"  data-link_translate_ro_url="Creşte securitatea SSH"></span>[[:ro:Creşte securitatea SSH]][[ro:Creşte securitatea SSH]]
 +
<span data-link_translate_he_title="להגביר את האבטחה של SSH"  data-link_translate_he_url="להגביר את האבטחה של SSH"></span>[[:he:להגביר את האבטחה של SSH]][[he:להגביר את האבטחה של SSH]]
 +
<br />This article has been created by an automatic translation software. You can view the article source [[:fr:Accroître la sécurité de SSH|here]].<br /><span data-translate="fr"></span><br />
 +
<span data-link_translate_fr_title="Accroître la sécurité de SSH"  data-link_translate_fr_url="Accroître la sécurité de SSH"></span>[[:fr:Accroître la sécurité de SSH]][[fr:Accroître la sécurité de SSH]]
 +
<span data-link_translate_he_title="להגביר את האבטחה של SSH"  data-link_translate_he_url="%D7%9C%D7%94%D7%92%D7%91%D7%99%D7%A8+%D7%90%D7%AA+%D7%94%D7%90%D7%91%D7%98%D7%97%D7%94+%D7%A9%D7%9C+SSH"></span>[[:he:להגביר את האבטחה של SSH]][[he:להגביר את האבטחה של SSH]]
 +
<span data-link_translate_ro_title="Creşte securitatea SSH"  data-link_translate_ro_url="Cre%C5%9Fte+securitatea+SSH"></span>[[:ro:Creşte securitatea SSH]][[ro:Creşte securitatea SSH]]
 +
<span data-link_translate_ru_title="Повысить безопасность SSH"  data-link_translate_ru_url="%D0%9F%D0%BE%D0%B2%D1%8B%D1%81%D0%B8%D1%82%D1%8C+%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C+SSH"></span>[[:ru:Повысить безопасность SSH]][[ru:Повысить безопасность SSH]]
 +
<span data-link_translate_pl_title="Zwiększenie bezpieczeństwa SSH"  data-link_translate_pl_url="Zwi%C4%99kszenie+bezpiecze%C5%84stwa+SSH"></span>[[:pl:Zwiększenie bezpieczeństwa SSH]][[pl:Zwiększenie bezpieczeństwa SSH]]
 +
<span data-link_translate_ja_title="SSH のセキュリティを高める"  data-link_translate_ja_url="SSH+%E3%81%AE%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3%E3%82%92%E9%AB%98%E3%82%81%E3%82%8B"></span>[[:ja:SSH のセキュリティを高める]][[ja:SSH のセキュリティを高める]]
 +
<span data-link_translate_ar_title="زيادة أمان SSH"  data-link_translate_ar_url="%D8%B2%D9%8A%D8%A7%D8%AF%D8%A9+%D8%A3%D9%85%D8%A7%D9%86+SSH"></span>[[:ar:زيادة أمان SSH]][[ar:زيادة أمان SSH]]
 
<span data-link_translate_zh_title="提高 SSH 的安全性"  data-link_translate_zh_url="%E6%8F%90%E9%AB%98+SSH+%E7%9A%84%E5%AE%89%E5%85%A8%E6%80%A7"></span>[[:zh:提高 SSH 的安全性]][[zh:提高 SSH 的安全性]]
 
<span data-link_translate_zh_title="提高 SSH 的安全性"  data-link_translate_zh_url="%E6%8F%90%E9%AB%98+SSH+%E7%9A%84%E5%AE%89%E5%85%A8%E6%80%A7"></span>[[:zh:提高 SSH 的安全性]][[zh:提高 SSH 的安全性]]
 
<span data-link_translate_de_title="Erhöhen Sie die Sicherheit von SSH"  data-link_translate_de_url="Erh%C3%B6hen+Sie+die+Sicherheit+von+SSH"></span>[[:de:Erhöhen Sie die Sicherheit von SSH]][[de:Erhöhen Sie die Sicherheit von SSH]]
 
<span data-link_translate_de_title="Erhöhen Sie die Sicherheit von SSH"  data-link_translate_de_url="Erh%C3%B6hen+Sie+die+Sicherheit+von+SSH"></span>[[:de:Erhöhen Sie die Sicherheit von SSH]][[de:Erhöhen Sie die Sicherheit von SSH]]
Line 5: Line 27:
 
<span data-link_translate_pt_title="Aumentar a segurança do SSH"  data-link_translate_pt_url="Aumentar+a+seguran%C3%A7a+do+SSH"></span>[[:pt:Aumentar a segurança do SSH]][[pt:Aumentar a segurança do SSH]]
 
<span data-link_translate_pt_title="Aumentar a segurança do SSH"  data-link_translate_pt_url="Aumentar+a+seguran%C3%A7a+do+SSH"></span>[[:pt:Aumentar a segurança do SSH]][[pt:Aumentar a segurança do SSH]]
 
<span data-link_translate_es_title="Aumentar la seguridad de SSH"  data-link_translate_es_url="Aumentar+la+seguridad+de+SSH"></span>[[:es:Aumentar la seguridad de SSH]][[es:Aumentar la seguridad de SSH]]
 
<span data-link_translate_es_title="Aumentar la seguridad de SSH"  data-link_translate_es_url="Aumentar+la+seguridad+de+SSH"></span>[[:es:Aumentar la seguridad de SSH]][[es:Aumentar la seguridad de SSH]]
<span data-link_translate_fr_title="Accroître la sécurité de SSH"  data-link_translate_fr_url="Accro%C3%AEtre_la_s%C3%A9curit%C3%A9_de_SSH"></span>[[:fr:Accroître la sécurité de SSH]][[fr:Accroître la sécurité de SSH]]
+
<span data-link_translate_en_title="Increase the security of SSH"  data-link_translate_en_url="Increase+the+security+of+SSH"></span>[[:en:Increase the security of SSH]][[en:Increase the security of SSH]]
<br />
 
  
This article has been created by an automatic translation software. You can view the article source [[:fr:Accroître la sécurité de SSH|here]].<br /><span data-translate="fr"></span>
+
{{#seo:
 +
|title=Increase the security of SSH
 +
|title_mode=append
 +
|keywords=these,are,your,keywords
 +
|description=Increase the security of SSH
 +
|image=Uploaded_file.png
 +
|image_alt=Wiki Logo
 +
}}
  
Whenever this is possible, we strongly recommend to modify the default identifiers and the default ports of critical services.
+
Once this is possible, it is recommended to change the default identifiers and the default ports of critical services.
  
  
Regarding SSH, we see here a few elements that will strengthen the security of this service.
+
About SSH, land's see some elements that will strengthen the security of this service.
  
  
In the context of the drafting of this article, we are based on a type distribution Debian Jessie. Following up on your server, the configuration may need to change. Should, therefore, adapt to your needs.
+
Dans le cadre de la rédaction de cet article, nous nous sommes basés sur une distribution de type Debian Jessie. Suivant celle en place sur votre {{Template:Serveur}}, la configuration peut être amenée à changer. Il faudra, par conséquent, adapter à vos besoins.
  
  
By default, to connect in SSH, you must establish a connection on port 22. Change this port can already prevent many attacks by brute force.
+
By default, to connect in SSH, you must establish a connection on port 22. Change this port can already protect you from many attacks by brute-force.
  
If you want to use SSH on a port other than the default one, you will need to modify  ''Port 22'' by  ''Port 55555'' in the file ''/and c/ssh/sshd_config''.
+
Si vous souhaitez utiliser SSH sur un autre port que celui par défaut, il vous faudra donc modifier ''Port 22'' par ''Port 55555'' in the file ''/etc/ssh/sshd_config''.
  
  
In order to make brute-force attacks much less effective, you can also disable SSH connection through the root account. It will therefore have one user other than the default account and proceed to elevation of privilege from this account to have administrator rights.
+
In order to make brute-force attacks less effective, you can also disable SSH connection through the root account. It will therefore have one user other than the default account and proceed with an elevation of privileges from this account to have administrator rights.
  
  
We will therefore pass the associated option of  ''PermitRootLogin yes'' à ''PermitRootLogin No. '' and declare the users allowed to connect. To allow the user  ''ikoula'' therefore to connect in SSH, add the following line in the configuration file  : ''AllowUsers ikoula''
+
On va donc passer l'option associée de ''PermitRootLogin yes'' à ''PermitRootLogin no'' et déclarer les utilisateurs autorisés à se connecter. Pour autoriser l'utilisateur ''ikoula'' à se connecter in SSH, il faudra donc ajouter la ligne suivante in the file de configuration : ''AllowUsers ikoula''
  
  
If beyond two minutes the connection information are not seized during a SSH connection to your server, the connection is cut off.
+
Si au delà de deux minutes les informations de connexion ne sont pas saisies lors d'une connexion en SSH à votre {{Template:Serveur}}, la connexion est coupée.
This period may be adjusted downward (following the latency and the stability of your connection, of course ).
+
This period may be revised downward (following the latency and the stability of your connection, of course).
Thirty seconds may be sufficient. To change this value, we will modify the by ameter  ''LoginGraceTime''.  
+
Trente secondes peuvent être suffisantes. Afin de modifier cette valeur, nous allons modifier le paramètre ''LoginGraceTime''.  
We now modify the line  ''LoginGraceTime 120'' par ''LoginGraceTime 30'' in the file  ''/etc/ssh/sshd_config''.
+
Nous allons donc maintenant modifier la ligne ''LoginGraceTime 120'' par ''LoginGraceTime 30'' dans le fichier ''/etc/ssh/sshd_config''.
  
  
We will now modify the algorithms used by SSH to limit usage to some by adding two additional lines in the SSH service configuration file :
+
We will now change the algorithms used by SSH to limit usage to some by adding two additional lines in the SSH service configuration file :
  
 
<code>
 
<code>
Line 45: Line 73:
  
  
Debian by default always adds a character string to the SSH banner. To put it simply, if do you a telnet to your server  (Telnet IP_SERVER 22), here's what you get :
+
Debian by default always adds a character string to the SSH banner. To put it simply, if perform you a telnet to your {{Template:Serveur}} (Telnet IP_SERVER 22), here's what you get :
  
 
<code>
 
<code>
Line 52: Line 80:
  
  
So let's turn this behavior off to no longer display the name of our distribution :
+
So let's turn off this behavior in order to no longer display the name of our distribution :
  
 
<code>
 
<code>
Line 59: Line 87:
  
  
Now, let's get this :
+
Now, let's get this :
  
 
<code>
 
<code>
Line 66: Line 94:
  
  
The changes are complete, we will restart the service for the changes to be effective :
+
Changes are complete, so let's restart the service for the changes to be effective :
  
 
<code>
 
<code>
Line 73: Line 101:
  
  
Note that you can also set up the IP address for your SSH service restrictions  (If your server is not already behind a firewall for example or your iptables rules do not already need ).
+
You can also implement the restriction by IP address for your SSH service (If your {{Template:Serveur}} is not already behind a firewall for example or your iptables rules do not already the necessary).
  
  
We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses :
+
We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses :
  
 
<code>
 
<code>
Line 85: Line 113:
  
  
Thus, only the IP addresses ''12.34.56.78'' et ''98.76.54.32'' will be allowed to connect to vote SSH server  (Replace with the IP address appropriate course ).  
+
Thus, only the IP addresses ''12.34.56.78'' et ''98.76.54.32'' will be allowed to connect to vote {{Template:Serveur}} en SSH (Replace with the appropriate, IP addresses of course).  
  
  
Alternatively, you can implement authentication by the exchange of keys if you wish.
+
Alternatively, you can implement authentication by Exchange of keys if you wish.
  
 
[[Category:Dedicated_server]]
 
[[Category:Dedicated_server]]
 
[[Category:Linux]]
 
[[Category:Linux]]
 
 
<br />
 
<br />
 
<comments />
 
<comments />

Latest revision as of 10:55, 27 September 2021

fr:Accroître la sécurité de SSH en:Increase the security of SSH es:Aumentar la seguridad de SSH pt:Aumentar a segurança do SSH it:Aumentare la sicurezza di SSH nl:Verhoging van de veiligheid van SSH de:Erhöhen Sie die Sicherheit von SSH zh:提高 SSH 的安全性 ar:زيادة أمان SSH ja:SSH のセキュリティを高める pl:Zwiększenie bezpieczeństwa SSH ru:Повысить безопасность SSH ro:Creşte securitatea SSH he:להגביר את האבטחה של SSH
This article has been created by an automatic translation software. You can view the article source here.

fr:Accroître la sécurité de SSH he:להגביר את האבטחה של SSH ro:Creşte securitatea SSH ru:Повысить безопасность SSH pl:Zwiększenie bezpieczeństwa SSH ja:SSH のセキュリティを高める ar:زيادة أمان SSH zh:提高 SSH 的安全性 de:Erhöhen Sie die Sicherheit von SSH nl:Verhoging van de veiligheid van SSH it:Aumentare la sicurezza di SSH pt:Aumentar a segurança do SSH es:Aumentar la seguridad de SSH en:Increase the security of SSH

Once this is possible, it is recommended to change the default identifiers and the default ports of critical services.


About SSH, land's see some elements that will strengthen the security of this service.


Dans le cadre de la rédaction de cet article, nous nous sommes basés sur une distribution de type Debian Jessie. Suivant celle en place sur votre Server, la configuration peut être amenée à changer. Il faudra, par conséquent, adapter à vos besoins.


By default, to connect in SSH, you must establish a connection on port 22. Change this port can already protect you from many attacks by brute-force.

Si vous souhaitez utiliser SSH sur un autre port que celui par défaut, il vous faudra donc modifier Port 22 par Port 55555 in the file /etc/ssh/sshd_config.


In order to make brute-force attacks less effective, you can also disable SSH connection through the root account. It will therefore have one user other than the default account and proceed with an elevation of privileges from this account to have administrator rights.


On va donc passer l'option associée de PermitRootLogin yes à PermitRootLogin no et déclarer les utilisateurs autorisés à se connecter. Pour autoriser l'utilisateur ikoula à se connecter in SSH, il faudra donc ajouter la ligne suivante in the file de configuration : AllowUsers ikoula


Si au delà de deux minutes les informations de connexion ne sont pas saisies lors d'une connexion en SSH à votre Server, la connexion est coupée. This period may be revised downward (following the latency and the stability of your connection, of course). Trente secondes peuvent être suffisantes. Afin de modifier cette valeur, nous allons modifier le paramètre LoginGraceTime. Nous allons donc maintenant modifier la ligne LoginGraceTime 120 par LoginGraceTime 30 dans le fichier /etc/ssh/sshd_config.


We will now change the algorithms used by SSH to limit usage to some by adding two additional lines in the SSH service configuration file :

echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config

echo "MACs hmac-ripemd160" >> /etc/ssh/sshd_config


Debian by default always adds a character string to the SSH banner. To put it simply, if perform you a telnet to your Server (Telnet IP_SERVER 22), here's what you get :

SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2


So let's turn off this behavior in order to no longer display the name of our distribution :

echo "DebianBanner no" >> /etc/ssh/sshd_config


Now, let's get this :

SSH-2.0-OpenSSH_6.7p1


Changes are complete, so let's restart the service for the changes to be effective :

systemctl restart ssh.service


You can also implement the restriction by IP address for your SSH service (If your Server is not already behind a firewall for example or your iptables rules do not already the necessary).


We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses :

echo "sshd: ALL" >> /etc/hosts.deny

echo "sshd: 12.34.56.78, 98.76.54.32" >> /etc/hosts.allow


Thus, only the IP addresses 12.34.56.78 et 98.76.54.32 will be allowed to connect to vote Server en SSH (Replace with the appropriate, IP addresses of course).


Alternatively, you can implement authentication by Exchange of keys if you wish.


You are not allowed to post comments.

Retrieved from "https://en-wiki.ikoula.com/index.php?title=Increase_the_security_of_SSH&oldid=12162"