adduser $user gpasswd -a $user sudo nano /etc/ssh/sshd_config PermitRootLogin no # only $user can login with ssh AllowUsers $user service ssh restart # additionaly, enforce IP whitelist/blacklist via hosts.deny
PermitEmptyPasswords no
also, ssh users and specially root, should have 16 char alphanum passwords
and restart the SSH service:
Port 22
idle timeout to avoid unattended ssh session
ClientAliveInterval 300 ClientAliveCountMax 0
Using SSH protocol 2 only is much more secure
Protocol 2
/etc/ssh/sshd_config - OpenSSH server configuration file. /etc/ssh/ssh_config - OpenSSH client configuration file. ~/.ssh/ - Users ssh configuration directory. ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user's account /etc/nologin - If this file exists, sshd refuses to let anyone except root log in. /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here. SSH default port : TCP 22
create a dummy local user with no rights, use that user to login, put it in the wheel group, so that you can sudo
PermitRootLogin no AllowUsers aa bb cc AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
be careful system users(ftpd, apache, www ...)
allow only specific users:
AllowUsers user1 user2 AllowUsers deploy@(your-ip) deploy@(another-ip-if-any)
deny sys users
DenyUsers user1 user2
list user that can potentially access the system:
cat /etc/passwd | grep /bin/sh cat /etc/passwd | grep -v nologin | grep -v /bin/false
oppure cambiare la shell in /bin/false
Disable .rhosts files, Disable Host-Based Authentication Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes HostbasedAuthentication no
You can also use different iptables parameters to limit connections to the SSH service for specific time periods. You can use the /second, /minute, /hour, or /day switch in any of the following examples.
In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:
iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP
In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:
iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP
#SSH anti brute force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 5 --rttl --name SSH -j DROP iptables -A INPUT -p tcp --dport 22 -j ACCEPT
accept connection only from 192.168.1.0/24 and 202.54.1.5/29,
via firewall:
nano /etc/sysconfig/iptables (Redhat) -A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACC
via tcpwrappers hosts.allow hosts.deny:
nano /etc/hosts.allow sshd: 192.168.1.2
nano /etc/hosts.deny sshd: 192.168.1.2 ALL: 74.52.109.
Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.
#!/bin/bash inet_if=eth1 ssh_port=22 $IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --set $IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP Call above script from your iptables scripts. Another config option: $IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT $IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT # another one line example # $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT
to use logwatch, make sure LogLevel is set to INFO or DEBUG in sshd_config
LogLevel INFO
at the moment you need to update source code and compile openssh again
adds SSL encription("secure tunnel") support to unencripted protocols.
apt-get install stunnel4 -y nano /etc/stunnel/stunnel.conf
client = no [squid] accept = 8888 connect = 127.0.0.1:3128 cert = /etc/stunnel/stunnel.pem
ssh user@host 'ls -l; ps -aux; whoami'