Skip to main content

5 Best Practices to Secure and Protect SSH



SSH (Secure Shell) is an open source network protocol that is used to connect local or remote Linux servers to transfer files, make remote backups, remote command execution and other network related tasks via scp or sftp between two servers that connects on secure channel over the network.

SSH Server Security Tips
In this article, I will show you some simple tools and tricks that will help you to tighten your ssh server security. Here you will find some useful information on how to secure and prevent ssh server from brute force and dictionary attacks.
1. DenyHosts
DenyHosts is an open source log-based intrusion prevention security script for SSH servers was written in python programming language that intended to run by Linux system administrators and users to monitor and analyzes SSH server access logs for failed login attempts knows as dictionary based attacks and brute force attacks. The script works by banning IP addresses after set number of failed login attempts and also prevent such attacks from gaining access to server.
DenyHosts Features
  1. Keeps track of /var/log/secure to find all successful and failed login attempts and filters them.
  2. Keeps eye on all failed login attempts by user and offending host.
  3. Keeps watch on each existing and non-existent user (eg. xyz) when a failed login attempts.
  4. Keeps track of each offending user, host and suspicious login attempts (If number of login failures) bans that host IP address by adding an entry in /etc/hosts.deny file.
  5. Optionally sends an email notifications of newly blocked hosts and suspicious logins.
  6. Also maintains all valid and invalid failed user login attempts in separate files, so that it makes easy for identifying which valid or invalid user is under attack. So, that we can delete that account or change password or disable shell for that user.
2. Fail2Ban
Fail2ban is one of the most popular open source intrusion detection/prevention framework written in python programming language. It operates by scanning log files such as /var/log/secure, /var/log/auth.log, /var/log/pwdfail etc. for too many failed login attempts. Fail2ban used to update Netfilter/iptables or TCP Wrapper’s hosts.deny file, to reject an attacker’s IP address for a set amount of time. It also has a ability to unban a blocked IP address for a certain period of time set by administrators. However, an certain minutes of unban is more enough to stop such malicious attacks.
Fail2Ban Features
  1. Multi-threaded and Highly configurable.
  2. Support for log files rotation and can handle multiple services like (sshd, vsftpd, apache, etc).
  3. Monitors log files and looks for known and unknown patterns.
  4. Uses Netfilter/Iptables and TCP Wrapper (/etc/hosts.deny) table to ban attackers IP.
  5. Runs scripts when a given pattern has been identified for the same IP address for more than X times.
3. Disable Root Login
By default Linux systems are per-configured to allow ssh remote logins for everyone including root user itself, which allows everyone to directly log in to system and gain root access. Despite the fact that ssh server allows a more secure way to disable or enable root logins, it’s always a good idea to disable root access, keeping servers a bit more secure.
There are so many people trying to brute force root accounts via SSH attacks by simply supplying different account names and passwords, one after another. If you are a system administrator, you can check ssh server logs, where you will find number of failed login attempts. The main reason behind number of failed login attempts is having weak enough passwords and that makes sense for hackers/attackers to try.
If you are having strong passwords, then you’re probably safe, however it’s better to disable root login and have regular separate account to log into, and then use sudo or su to gain root access whenever required.
4. Display SSH Banner
This is one of the oldest feature available from the beginning of the ssh project, but I’ve hardly seen it is used by anyone. Anyway I feels its important and very useful feature that I’ve used for all my Linux servers.
This is not for any security purpose, but the most greatest benefit of this banner is that it is used to display ssh warning messages to UN-authorized access and welcome messages to authorized users before the password prompt and after the user logged in.
5. SSH Passwordless Login
A SSH Password-less login with SSH keygen will establish a trust relationship between two Linux servers which makes file transfer and synchronization much easier. This is very useful if you are dealing with remote automated backups, remote scripting execution, file transfer, remote script management etc without enter passwrod each time.

Comments

Post a Comment

Popular posts from this blog

Bridging Ethernet Connections - Ubuntu/Fedora

Installing bridge-utils Adept Search for bridge-utils and choose the drop-down arrow on the left. Choose "request install". Konsole: Enter this into Konsole: sudo apt-get update sudo apt-get install bridge-utils If you use sudo -i and enter your password, then you will not have to use sudo before each command. It may also save you some typing in the future. Setting up the Bridge Ensure that both (or all) of your interfaces are installed and enabled. If they are then you may proceed at this point. For a few moments, if your computer is connected to the internet then it will be disconnected until a certain point is reached. Open Konsole and use the following commands. Note that when interfaces are referenced, they refer to device names assigned by linux such as "eth0" and "eth1". Also note that myBridge is the name of the bridge that you wish to have. This can be anything, but a simple name like bridge0 or bridge1 is s...
Post a Comment
Read more

Microsoft Active Directory

> What Intrasite and Intersite Replication? Intrasite is the replication within the same site & intersite the replication between sites. > What is lost & found folder in ADS? It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder. > What is Garbage collection? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. > What System State data contains? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder >What is the difference between Windows 2000 Active Directory and Windows 2003 Active Directory? Is there any difference in 2000 Group Polices and 2003 Group Polices? What is meant by ADS and ADS ser...
Post a Comment
Read more

What are the few major differences between 2003,2008 & 2012

2003-IIS 6.0 2008- IIS 7.0 2008R2- IIS-7.5 2012-IIS 8 ---------------------- 2003-32 AND 64 BIT AVAILABLE 2008-32AND 64BIT AVAILABLE 2008R2- ONLY 64BIT AVAILABLE 2012 - ONLY 64 BIT AVAILABLE ------------------------------------------ 2003 KERNAL VER. -5.2 2008 KERNEL-6.0 2008 R2-6.1 2012-6.2 ------------------------------------------ 2003- IE VERSION 6.0 2008- IE VERSION 7.0 2008 R2 IE VERSION 8.0 2012 IE VERSION 10.0 2012 R2 IE VERSION 11.0 ----------------------- 2003- AD ADMINISTRATIVE CENTER NOT AVAILABLE 2008- NOT AVAILABLE 2008 R2- AVAILABLE 2012- AVAILABLE -------------------------------------
Post a Comment
Read more