Increase the security of SSH

es:Aumentar la seguridad de SSH fr:Accroître la sécurité de SSH

This article has been created by an automatic translation software. You can view the article source here.

Whenever this is possible, we strongly recommend to modify the default identifiers and the default ports of critical services.

Regarding SSH, we see here a few elements that will strengthen the security of this service.

In the context of the drafting of this article, we are based on a type distribution Debian Jessie. Following up on your server, the configuration may need to change. Should, therefore, adapt to your needs.

By default, to connect in SSH, you must establish a connection on port 22. Change this port can already prevent many attacks by brute force.

If you want to use SSH on a port other than the default one, you will need to modify Port 22 by Port 55555 in the file /and c/ssh/sshd_config.

In order to make brute-force attacks much less effective, you can also disable SSH connection through the root account. It will therefore have one user other than the default account and proceed to elevation of privilege from this account to have administrator rights.

We will therefore pass the associated option of PermitRootLogin yes à PermitRootLogin No. and declare the users allowed to connect. To allow the user ikoula therefore to connect in SSH, add the following line in the configuration file : AllowUsers ikoula

If beyond two minutes the connection information are not seized during a SSH connection to your server, the connection is cut off. This period may be adjusted downward (following the latency and the stability of your connection, of course ). Thirty seconds may be sufficient. To change this value, we will modify the by ameter LoginGraceTime. We now modify the line LoginGraceTime 120 par LoginGraceTime 30 in the file /etc/ssh/sshd_config.

We will now modify the algorithms used by SSH to limit usage to some by adding two additional lines in the SSH service configuration file :

echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config

echo "MACs hmac-ripemd160" >> /etc/ssh/sshd_config

Debian by default always adds a character string to the SSH banner. To put it simply, if do you a telnet to your server (Telnet IP_SERVER 22), here's what you get :

SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2

So let's turn this behavior off to no longer display the name of our distribution :

echo "DebianBanner no" >> /etc/ssh/sshd_config

Now, let's get this :

SSH-2.0-OpenSSH_6.7p1

The changes are complete, we will restart the service for the changes to be effective :

systemctl restart ssh.service

Note that you can also set up the IP address for your SSH service restrictions (If your server is not already behind a firewall for example or your iptables rules do not already need ).

We will therefore prohibit SSH connections to everyone and put an exception for our IP addresses :

echo "sshd: ALL" >> /etc/hosts.deny

echo "sshd: 12.34.56.78, 98.76.54.32" >> /etc/hosts.allow

Thus, only the IP addresses 12.34.56.78 et 98.76.54.32 will be allowed to connect to vote SSH server (Replace with the IP address appropriate course ).

Alternatively, you can implement authentication by the exchange of keys if you wish.