Securing SSH connections

SSH stands for Secure Shell, the SSH connection is the main way to get access to your Virtual Server. It´s standard, secure and enabled by default on all Linux servers.

Once said that, there are ways to increase security on SSH.

SSH daemon (sshd) runs by default on all Ventureer Virtual Servers providing encrypted access to root user with the password generated on server creation.

Let´s review some measures you can take to secure your ssh connection.

Complex Passwords.

There are many sites providing recomendations for complex passwords. The most usual are:

  • Your password must contain more than 8 characters.
  • You should use letters, numbers and special characters such as %$@&…
  • Use both upper and lower case letters.

This is to prevent easy guessing of passwords from malevolent users. They use farms of computers to find your password by brute force attacks. There´s a lot of ways to remember your password, I find useful this XKCD comic.

 

Disable SSH protocol 1.

SSH has two protocols, protocol 1 is old and less secure than protocol 2. You should only allow protocol 2 in the connections to your servers. SSH confif file is located in /etc/ssh/sshd_config. Look for the following lines and modify it accordingly:


# Protocol 2,1
Protocol 2

Remember to restart the sshd daemon after saving the file.

 

Disable root login.

Attackers will try to guess your root password by brute force. In order to avoid that, create a non root user and disable root access to ssh. Once you are logged in as that user, you can get root permissions with sudo or su commands.

Look for the following lines in  /etc/ssh/sshd_config and ammend it as follows:

# Prevent root logins:
PermitRootLogin no

You can also limit which users have ssh access with:
AllowUsers alice bob

Authenticate with public/private keys.
Using encrypted keys for authentication offers two main benefits. Firstly, it is convenient as you no longer need to enter a password (unless you encrypt your keys with password protection) if you use public/private keys. Secondly, once public/private key pair authentication has been set up on the server, you can disable password authentication completely meaning that without an authorized key you can’t gain access – so no more password cracking attempts.

It’s a relatively simple process to create a public/private key pair and install them for use on your ssh server.

First, create a public/private key pair on the client that you will use to connect to the server (you will need to do this from each client machine from which you connect):

$ ssh-keygen -t rsa
This will create two files in your (hidden) ~/.ssh directory called: id_rsa and id_rsa.pub The first: id_rsa is your private key and the other: id_rsa.pub is your public key.

If you don’t want to still be asked for a passphrase (which is basically a password to unlock a given public key) each time you connect, just press enter when asked for a passphrase when creating the key pair. It is up to you to decide whether or not you should add the passphrase protective encryption to your key when you create it. If you don’t passphrase protect your key, then anyone gaining access to your local machine will automatically have ssh access to the remote server. Also, root on the local machine has access to your keys although one assumes that if you can’t trust root (or root is compromised) then you’re in real trouble. Encrypting the key adds additional security at the expense of eliminating the need for entering a password for the ssh server only to be replaced with entering a passphrase for the use of the key. This may be further simplified by the use of the ssh_agent program

Now set permissions on your private key:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa

Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys list:

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

Note: once you’ve imported the public key, you can delete it from the server.

and finally set file permissions on the server:

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

The above permissions are required if StrictModes is set to yes in /etc/ssh/sshd_config (the default).

Ensure the correct SELinux contexts are set:

$ restorecon -Rv ~/.ssh

Now when you login to the server you won’t be prompted for a password (unless you entered a passphrase when you created your key pair). By default, ssh will first try to authenticate using keys. If no keys are found or authentication fails, then ssh will fall back to conventional password authentication.

Once you’ve checked you can successfully login to the server using your public/private key pair, you can disable password authentication completely by adding the following setting to your /etc/ssh/sshd_config file:

# Disable password authentication forcing use of keys
PasswordAuthentication no