Introduction

SSH (The secure shell) is frequently used for secure, remote administration and file transfer. Its strong authentication and encyrption make it a good choice for DAS administration. However, there are several things that we must do in order to make sshd more secure:

SSH is an incredibly useful tool; think of it as the "Swiss Army knife" of secure host-to-host networking. However, its popularity comes with a price. Since sshd is usually running on most Unix and Linux machines by default, and is used for administration, many crackers focus their efforts on exploiting it. A good exploit can give an attacker root access to the box from the command line. Therefore, you must carefully guard your sshd system to prevent abuse.

Instructions for DAS-M and DAS-S

Step 1: Make sure that you have the latest release

Part of keeping SSH secure is watching for updates and security patches, then applying them. The OpenSSH packages that come with Red Hat 9 are out of date. You can use the following command to see the currently installed version:

# rpm -qa | grep ssh

If you don't have the current version, then you need to download the updated packages from Red Hat. Install them with this command:

# rpm -Uvh openssh*rpm

Step 2: Edit the configuration file in order to increase sshd security

The sshd configuration file is located here: /etc/ssh/sshd_config . Make a backup copy of the original configuration and then open up /etc/ssh/sshd_config in your favourite text editor. Here is a copy, with changes in red. For clarity, most of the remarks have been removed. You can safely leave the remarks intact in your configuration file.

Port 2222
Protocol 2
                                                                                                                                                             
# Authentication:
LoginGraceTime 45
PermitRootLogin no
                                                                                                                                                             
X11Forwarding no

AllowUsers smythe
DenyUsers root

ClientAliveInterval 180
KeepAlive yes
 
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Notes: Port 2222 is used instead of the default port (TCP 22) in order to make automated SSH vulnerability scans miss the DAS servers. It will also keep the curious from trying to login. SSH protocol 1 is not allowed, only version 2, which is more secure. We will not be using X11 forwarding, so it is disabled.

Root is not allowed to login. You must login as another local user, then "su -" to root. This can aid against password guessing attempts, as a potential attacker now needs to find a good user account name to try to login with. Additionally, any local user accounts on the DAS server must be added manually to the "AllowUsers" line or they will not be allowed to login via SSH. We want users to have explicit permission to login to the DAS servers over the network.

Now that we have made our changes, we need to restart the server:

[root@das-m ssh]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

From another host, make sure that you can login. For example:

[van@labdemo2]$ ssh -p 2222 -l smythe das-m.kerb.org
smythe@das-m.kerb.org's password:

Step 3: Additional security measures

In our iptables firewall config, access to sshd is restricted. Only ssh clients from our lab LAN can connect to port 2222 and login. This further restricts mischief. Of course, if you want to be even more secure, you can disable sshd during regular operation and only administer the DAS servers from the console.


References