Securing SSH on Linux Ubuntu

ssh linux ubuntu-9.10

Solution 1:

What goals do you have in mind for your security? Who are you protecting this against?

Broad spectrum, use iptables to firewall port 22 against any unwanted IPs by specifically allowing the IPs you want, then blocking everything else.

You can also specify whether users can use passwords to log in, or whether they have to have certificates, which might be a good idea if you suspect people will try to break into others' accounts.

But for specifics, we've got to know what you're doing.

EDIT

OK, taking into account what you said below in the comments, you want to prevent unauthorized access to the machine. The second part, ensuring that your users don't do anything bad, is beyond the scope of this particular question, but is a worthy topic too. Broad, but worth asking.

The primary file that you need to edit is /etc/ssh/sshd_config and after each configuration change, you need to run /etc/init.d/sshd restart (or /etc/init.d/ssh if it's a debian/ubuntu system). When you're first learning how to configure ssh, it's a good idea to be logged in on the local console, since a misconfiguration will cut off your access.

Step 1: Make sure that root can't log in via ssh. 

PermitRootLogin no

If you absolutely must have root logins, you can set it to "without-password", which requires the connecting user to present a certificate and be authenticated like that.

Step 2: Allow (or deny) any specific users that should (or shouldn't) have access

There are various configuration directives to do this, like DenyUsers, AllowUsers, DenyGroups, and AllowGroups. These take lists of users or groups separated by spaces.

One of the neat things is that you can specify user@host, so if you only want Bob to be able to connect form his home machine, you can say 

AllowUsers [email protected]

Step 3: Explicitly permit public key authentication

PubkeyAuthentication yes

This is the default, but we want to ensure it takes effect, because we're going to disable the ability for users to type passwords in...

Step 4: Disable password authentication

Passwords can be stolen, overheard, or copied from the sticky note under your keyboard. Certificates are harder to do. Make sure that people can't use passwords thusly: 

PasswordAuthentication no

Step 5: Make sure clients use modern protocols 

Protocol 2

OpenSSH supports 2 protocols, called creatively, "1" and "2". "1" is old, allows things like DES encryption and other insecure things.

You're going to have to get your users putty certificates in order to connect now. The easiest way is to use PuttyGEN, which is available at the Putty site (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html).

Hope it helps!

Solution 2:

you can try enforcing use of ssh keys or introduce a hardtoken (like yubikey) moving ssh away from port 22 helps against script kiddies but will surely not defend you from someone, who targeted you as a victim.

Solution 3:

On top of everything the top poster said, there is a script called "Denyhosts" which will deny access to anything that authenticates badly three times, or, for a more IP Tables way to do the same thing:

http://dwm.me.uk/articles/2008/mitigating-ssh-attacks

Solution 4:

In addition to everything @MattSimmons suggests in his excellent answer I would say that instead of managing iptables yourself, you may want to consider using:

fwknop - Single Packet Authorization and Port Knocking:

fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA is essentially next generation port knocking.

That way you don't have to bother with things like fail2ban or other ssh blacklisting tools; instead you can avoid allowing anyone to even connect to your ssh port without first doing SPA.

Solution 5:

For learning more about securing linux see the NSA guide at:

Guide to the Secure Configuration of Red Hat Enterprise Linux 5

It has some good sections on SSH, enforcing password lengths etc.

Related

6 Disk Raid 1+0
Comma before adverbial participial phrases (reduced adverbial phrases) and participial prepositions
"I don't think you X" versus "I think you don't X"
"viruses" or "virii"?
When do I have to use 'will' instead of 'going to'?
Can an English sentence have a 'dative subject'?
Is "now" a "preposition"?
Hwat, hwere, and hwy?
Do you need the “why” in “That's the reason why”? [duplicate]
Is employing hyperbaton correct in English?
Can you use "same" without "the"?
Is there any other way you can "wax" as you do when you "wax philosophical"?