Protect your SSH server

SSH is a network protocol that allows establishing a secure connection between a local and a remote computer. You can install SSH server on your workstation and then have remote command line and Secure FTP (SFTP) access.


I use this command to install SSH server from the repositories:

$ sudo aptitude install ssh

By default, SSH server will run on port 22 and use standard username and password authentication. If you are behind a firewall, you will have to use some mechanism to allow traffic through that port if you want to access your machine remotely. I use port forwarding; I forward port 22 to the IP address of my workstation.

By opening up a port on your firewall, you now have a security concern. You need to come up with a way to keep the bad guys out while letting the good guys in. There are lots of methods to use to make your SSH server more secure, this is by no means a comprehensive list. That being said, here are a few methods that some people use:



Allow Known IP addresses with /etc/hosts.allow

If you know the IP addresses of all the machines that you want to allow access to your SSH server remotely, you can explicitly allow them using the /etc/hosts.allow file. This file does not exist by default in Ubuntu 7.04. To use this method, first create the /etc/hosts.allow and /etc/hosts.deny files:

$ sudo touch /etc/hosts.allow $ sudo touch /etc/hosts.deny

Next, start by blocking ALL users from ALL services with /etc/hosts.deny:

$ sudo gedit /etc/hosts.deny

Add this lines:

ALL: ALL

Next, edit your hosts.allow file to allow the known IP address:

$ sudo gedit /etc/hosts.allow

Then add the IP address to the file and save it. For example, if the IP address from your office is 123.456.789.999, then create the entry like this:

# allow ssh login from my office sshd: 123.456.789.999

Configured like this, all access attempts will be denied unless they originate from your office’s IP address.



Key Authentication

You can configure your SSH server so that it uses public keys for authentication instead of just username/password. Here are instructions on how to configure that.



Configure SSH server to run on a non-standard port

You can set up SSH server so that it runs on a port other than 22. This will thwart many of the less-than-tenacious attackers and zombie bots. So, for example, if you wanted to change your SSH server to run on port 1025, you would just make that change in the sshd_config file:

$ sudo gedit /etc/ssh/sshd_config

Change “Port 22″ to “Port 1025″. Then restart your SSH server:

$ sudo /etc/init.d/ssh restart

Remember, if you are behind a firewall, make sure you account for the port change there as well. Also, remember that when connecting to your server from a remote machine, you have to account for the port change in your login command:

$ ssh username@server -p 1025



DenyHosts

DenyHosts is a script that is intended to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). This is a daemon that runs on your server and watches for failed authentication attempts. Once it sees a certain amount of failures from a particular IP address, it blocks that IP address by adding it to /etc/hosts.deny.

Here are the steps I use to install DenyHosts:

DenyHosts is written in Python, so make sure all of the Python packages that it depends on are installed:

$ sudo aptitude install python python2.3-dev python2.3

Download the DenyHosts package, the current release as of this post is available here. Download the .tar.gz file (DenyHosts-2.6.tar.gz).

Untar the file, then enter the folder with your terminal and run this command:

$ sudo python setup.py install

The next step is to configure the script. First, create the configuration files:

$ cd /usr/share/denyhosts $ sudo cp denyhosts.cfg-dist denyhosts.cfg $ sudo cp daemon-control-dist daemon-control

Edit denyhosts.cfg

$ sudo gedit denyhosts.cfg

The settings are well documented, so configure the settings according to your preferences. Here are some of the key operating system specific settings that you will need to know when setting up this file for Ubuntu 7.04:

SECURE_LOG = /var/log/secure

HOSTS_DENY = /etc/hosts.deny

LOCK_FILE = /var/run/denyhosts.pid

Also, you’ll see that there is a set of Syncronization settings in there. This script has the ability to send the list of IPs that you blocked up to a centralized server. It then keeps a running list of all the IPs that have been blocked by all the DenyHosts users and gives you the option to have all of those IPs automatically blocked by your server.

Next, edit daemon-control

$ sudo gedit daemon-control

The only thing you should have to modify in this file is DENYHOSTS_LOCK:

DENYHOSTS_LOCK = “/var/run/denyhosts.pid”

Next, we have to make sure that /etc/hosts.allow and /etc/hosts.deny exist. In Ubuntu Feisty 7.04, these files are not created during the initial installation. To create these files, do this:

$ sudo touch /etc/hosts.allow $ sudo touch /etc/hosts.deny

Finally, we need to make sure DenyHosts runs automatically on startup. First, create a symbolic link in /etc/init.d:

$ cd /etc/init.d $ ln -s /usr/share/denyhosts/daemon-control DenyHosts

I then use BUM (Boot Up Manager) to set DenyHosts to run on startup. If you don’t have bum installed, you can install it from the repositories like this:

$ sudo aptitude install bum

Open BUM by clicking System -> Adminstration -> BootUp-Manager. Look for DenyHosts in the list, check the box, then click Apply. You can check to see if DenyHosts is running with this command:

$ ps -ef
grep denyhosts.py

If you see a result that looks like this, then it is running:

root 12325 1 0 Apr20 ? 00:00:00 python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

Note - it appears that denyhosts is now in the repositories. I’m not sure how to configure the version from the repositories, or if its already pre-configured, I may look into that in the future.



Other Methods

There are lots of other methods you can use to make your SSH server more secure. If you are interested, a couple other methods you can research are Port Knocking and fail2ban (which is in the repositories).