4 Simple Tips for Securing OpenSSH

30 November -0001

Securing an SSH server is a simple process that many administrators overlook. The following are four simple steps you can take to help lock down your SSH server. Given the widespread nature of SSH brute force attacks it is well worth the effort to enforce some extra restrictions on your SSH server. Most of the suggestions outlined below rely on configuration changes that can be implemented in your sshd_config file. Note there are two separate configuration files, ssh_config, and sshd_config on most installations. Be sure to edit the sshd_config file (the d is for daemon, or the SSH service).

1. Run SSH on an alternate port.

This is an easy step you can take that will prevent all those automated SSH brute force attacks. A dedicated attacker can still find your SSH service and enumerate the port it is running on, but blind exploits or password guessing programs that look on port 22 won't find anything. You might want to consider running SSH on port 20, or port 222. To change the port you simply have to edit your sshd_config file and find the line (or add it) that reads:

#Port 22

And uncomment it (remove the # symbol), change the port number, and restart the SSH service. Note that you may have to adjust your firewall rules in order for the new port to be responsive. Be sure to test any new configurations before you log out of the machine.

2. Limit the number of connection attempts.

There is no reason to let someone try to guess their password an unlimited number of times. You can easily specify that the server disconnects clients after a set number of incorrect passwords. Many SSH brute forcers will get around this by initiating a new connection for each password, but this is resource intensive for the attacker. There's no sense in making things any easier for them. Find, uncomment (by removing the # symbol), and alter the line in sshd_config that reads:

#MaxAuthTries 6

You might want to set the number of tries as low as two, or just leave the default. Anything is better than unlimited tries.

3. Disable remote root logins.

There is no reason root should be able to log in via SSH. If you need to use the root account, at the very least you should log in and 'su' to root. Better yet, utilize sudo so you can log who is doing what as root. To disable root SSH access find and uncomment (by removing the # symbol) the line in sshd_config that reads:

#PermitRootLogin no

4. Limit the accounts that can actually use SSH.

You may be able to identify specific users who will utilize SSH. It is rare that _every_ user on a system needs SSH access. You can limit the users who can use SSH by adding the line:

AllowUsers alice bart charles

To your sshd_config file and restarting the server. Of course you'll want to change 'alice', 'bart', and 'charles' to users that actually exist on your system.