Securing SSH

From MEPIS Documentation Wiki

Jump to: navigation, search

You can secure SSH by following these steps:

Contents

Allow only specific IP addresses to connect to your computer

Allow only specific remote addresses in the LAN. For example, to all addresses in 192.168.0.x range to connect but nothing else, you would allow access by doing the following: Edit /etc/hosts.allow and add this line:

sshd: 192.168.0.0/255.255.255.0

Then deny everything else in /etc/hosts.deny by adding this line:

sshd: ALL

If you can't restrict the access from other computers (you need to connect from random computers on different networks) it is highly recommended to install fail2ban. This program bans IPs that cause multiple authentication errors (by adding those IP addresses to /etc/hosts.deny)

Allow only specific users to connect to your computer

Very important! Don't allow root connections. Set in /etc/ssh/sshd_config:

PermitRootLogin no

You can also do the following in ssh server to restrict access to specific users, in /etc/ssh/sshd_config add:

AllowUsers username

Set maximum number of tries

With this option you can set a maximum number of authentication tries, thus eliminating brute force approach, however this makes DOS attacks possible.

MaxAuthTries 3

Other security enhancements

  • Look for Protocol entry and remove 1, thus you'll allow only ssh2 protocol:
Protocol 2 
  • Run sshd on a alternate port, edit /etc/ssh/sshd_config:

Change Port = 22 to an unused port. You need to specify the new port when you connect like this:

ssh hostname -p portnumber

Don't forget to unblock the new port in your firewall configuration.

  • Install denyhosts or fail2ban packages, these programs monitor ssh connections and ban IP addresses that try to brute force your account.

Security | FAQ | Main Page

Personal tools
In other languages