Eight ways to protect SSH access on your system

SSH. We know it. We love it. We must use it.

I'm going to take you through eight steps to better help you secure the SSH service on your network. I think we all appreciate the importance of SSH. It allows us to connect to and from Linux devices, Unix servers, network appliances, and sometimes even Windows boxes. I'm not going to try to sell you on how often SSH is used or how important it is. I'm going to provide a solid checklist you can use to ensure SSH services in your environment are locked down.

1. Backup the config file

First, back up the configuration file before making major changes. This is a common bit of advice, but it's a real one. It's easy, takes only a moment, and protects you in case of a mistake when editing the file. And who hasn't made a mistake in Vim?

# cp /etc/ssh/sshd_config ~/sshd_config_original

See, that's not so bad.

Challenge - Do you consistently back up configuration files before making major edits?

2. Set a banner message

Admittedly, this is as much about legal requirements as anything else, but again, this setting only takes a moment. You can actually provide some pretty good information in banner messages, too. First, we'll write the banner message in the /etc/issue.net file by using Vim. Then we'll open the sshd_config file and tell it to use the content of issue.net as the banner.

# vim /etc/issue.net

Warning! Authorized use only.
This server is the property of MyCompanyName.com

[ You might also like: SSH password automation in Linux with sshpass ]

Obviously, you'll want to come up with something specific to your organization. Remove any information that's already in the issue.net file.

Next, tell SSH to use the banner message. Open the sshd_config file in Vim, and find the line that reads Banner. You do remember that you can use the forward-slash character in Vim's Command mode to keyword-search a file, right? For example, /banner

# vim /etc/ssh/sshd_config

Find the line that reads # no default banner path, and then uncomment the next line (it says Banner).

# no default banner path
Banner /etc/issue.net

Save your changes in Vim with :wq and then restart the SSH service:

# systemctl restart sshd

Note: I'm not going to remind you to restart SSH from this point forward. Any time you make a change to the configuration file, you must restart the service.

Challenge - Is the banner message consistent across all the SSH devices on your network?

3. Prevent empty passwords

This seems like a no-brainer, but empty passwords are clearly a bad idea. You may have other utilities, such as Pluggable Authentication Modules (PAM), regulating your regular passwords, but it's also a good idea to make sure SSH enforces responsible security settings, too.

Open the /etc/ssh/sshd_config file in Vim, and then find the line that reads PermitEmptyPasswords. Uncomment it, and replace the yes value with no.

PermitEmptyPasswords no

That's it.

4. Prevent the root user from crossing the network via SSH

The idea here is pretty straightforward. Send standard user credentials across the network instead of root credentials. Once you've established your SSH connection using a standard user account, use su or sudo to elevate your privileges.

Open the SSH configuration file, and then uncomment the PermitRootLogin line. Edit the setting from yes to no.

PermitRootLogin no

Challenge - your organization has embraced sudo, right?

5. Whitelist specific user accounts

If you're already preventing the use of the root user account across SSH, why not go a step further and explicitly state which users can connect to the server? Perhaps you have a regular non-root admin account you use or one that's already configured with sudo privileges.

In the SSH configuration file, add the following line (it's not in there by default):

AllowUsers user1

I'd put it near the PermitRootLogin no setting.

By the way, you can actually filter with all of the following settings: AllowUsers, DenyUsers, AllowGroups, DenyGroups. I wrote them in that order on purpose—that's the order in which they are processed. You can discover more information on the man page for sshd_config.

Challenge - be careful about exactly who is authorized.

Note: You can limit connections via iptables, too.

6. No more port 22

Another common change is to configure SSH to listen on a different port than the standard 22/tcp that we've all memorized. There's already an entry in the sshd_config file.

You can comment out the default port setting and add another line, as I've done below:

#Run SSH on a non-standard port
#Port 22
Port 2222

I suspect many folks use 2222 as the replacement port number, so you may want to standardize on something a little more unique.

You must remember to append the new non-standard port number to your SSH connection attempts from this point on. For example:

# ssh -p 2222 user1@10.1.0.42

Challenge - do you have the same non-standard port number configured for all your SSH destinations? Consistency will make your life much easier.

7. Time's up!

The next tip deals with timing out connections. The ClientAliveInterval manages idle SSH connections. The server sends a message to the client and expects a response. The ClientAliveInterval is the space of time between the messages. The ClientAliveCountMax defines how many times the server will do this before deciding the client isn't really there anymore. At that point, the connection is dropped.

Here is an example configuration that checks every 60 seconds and will do so three times:

ClientAliveInterval 60
ClientAliveCountMax 3

Edit these values to something that makes sense for your environment.

Note: If you're using SSH to tunnel for other connections, you may need to ensure that the interval is long enough to properly support whatever other applications are using it.

There's a ServerAliveInterval value that you can configure on the client-side, too. This allows clients to drop connections to non-responsive SSH servers.

8. Here's the key

One of the most common security settings for SSH these days is key-based authentication. Through the years that I've taught Linux, this authentication method has become more and more common. In fact, I wouldn't attempt a Red Hat admin exam without feeling confident in this process. Fortunately, it's not difficult.

Let's do a quick review. Key-based authentication uses asymmetric cryptography. That means there are two keys, different but mathematically related to each other. One is private and never sent across the network. The other is public and may be transferred across the network. Because the keys are related, they can be used to confirm identities—identities such as SSH authentication attempts.

You'll need to generate the key pair on the local SSH client computer and then transfer the public key across the network to the destination SSH server. In other words, the keys will identify you on your admin workstation. Once this configuration is in place, you are no longer challenged for a password when you establish an SSH connection.

The process only requires a few steps.

First, generate the key pair:

# ssh-keygen

The keys are stored in your home directory in a hidden directory named .ssh, and the default key names are id_rsa (private key) and id_rsa.pub (public key).

Next, send the user1 public key across the network to the destination SSH server located at 10.1.0.42:

# ssh-copy-id user1@10.1.0.42

Finally, test the connection:

# ssh user1@10.1.0.42

Notice that you are not challenged for a password.

Since you have now embraced key-based authentication, you can edit the sshd_config file to prevent any logins based on passwords. Once you configure this setting, only key-based authentication will be accepted.

Edit these two lines in the file:

PasswordAuthentication no
PublicKeyAuthentication yes

[ Want to learn more about security? Check out the IT security and compliance checklist. ] 

Wrap up

I have listed several common but effective SSH configurations to help you better secure your environment. Remember, with security, no one setting is likely to protect your devices. The goal is layers of security, the combination of which helps to mitigate security threats. I strongly suggest that you carefully organize your keys if you implement key-based authentication. You might also consider using a centralized /etc/ssh/sshd_config file to maintain consistent security configurations on your SSH servers. Don't forget to restart SSH any time you change the configuration file.