Jump to content

Hardening Ssh Setup.


kYd

Recommended Posts

Hey,

In a few days I will be exposing my media server to the scary Internet, as I'll need access to it from a far; it has quite a bit of personal stuff on there, so I'm looking to harden it down, and I'm primarily focusing on just SSH today.

I've read many guides the last few hours, and while some of the information is great, some sources are conflicting with others, with many of them dating years back.

So, concerning SSH, what tips would you advise?

I've already done the obvious:

chaning ports, using the AllowUsers directive, disabled root, limited wrong authentication tries and login grace time, and I'm currently trying to get to a passwordless state with keys (followed numerous guides but still asks for p/w).

I'm also in the process of trying to set up IPtables to accomplish the following:

*Block the IP of anyone that tries to connect to the server on port 22, forever.

*Block any IP that fails authentication more than 2 times, for an hour.

Could you help me with this one also?

I am unable to allow just the foreign IPs I will be logging into as I shall be from many locations, with dynamic IPs.

Cheers.

I think one of the most secure methods of ssh connections is using ssh-keys for authentication.

Link to comment
Share on other sites

What are you having problems with when trying to set the keys? You need to change two settings, which are:

PubkeyAuthentication and PasswordAuthentication. Change Pubkey to yes and password to no and add your public key to ~./.ssh/authorized_keys

You can recreate keys by using ssh-keygen.

Here's my sshd_config file for reference - it needs some clean up, but it works for me.

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes

RSAAuthentication no
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 3:50:10
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
AllowUsers charles
GatewayPorts no
AllowTcpForwarding yes
KeepAlive yes
IgnoreUserKnownHosts no
PasswordAuthentication no

Link to comment
Share on other sites

Try using id_rsa.pub instead. That's the one I've been using. Haven't touched id_dsa.pub.

Permissions should look like this:

-rw-r--r-- 1 charles charles  394 2010-07-03 20:58 authorized_keys
-rw------- 1 charles charles 1743 2010-07-15 09:11 id_rsa
-rw-r--r-- 1 charles charles  442 2010-07-30 17:15 known_hosts

The id_rsa.pub should be added to authorized_keys (the rename you did should be fine)

I tried the same thing with the id_dsa.pub key and id_dsa private key without success. It only allowed me to use my password to authenticate. The debug looked the same as yours.

When I switched to using rsa keys, it authenticated without any problems.

Edited by Charles
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...