OpenSSH Server Security Practices
OpenSSH is the main connectivity tool for remote login via SSH protocol.
It is responsible for encrypting all traffic to prevent intrusions, connection hijacking or similar other attacks.
Besides, OpenSSH offers a wide array of security features, such as various authentication methods or top-notch configuration features.
Read on to find out the top 20 OpenSSH Sever best practices that will increase your security.
SSH public key login feature
OpenSSH comes with several authentication methods, the most efficient one being the public key login authentication. To set it up, you will have to use the ssh-keygen command.
$ ssh-keygen -t key_type -b bits -C "comment"
$ ssh-keygen -t ed25519 -C "Login to production cluster at xyz corp"
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_aws_$(date +%Y-%m-%d) -C "AWS key for abc corp clients"
Afterwards, you can create the key via:
$ ssh-copy-id -i /path/to/public-key-file user@host
$ ssh-copy-id user@remote-server-ip-or-dns-name
$ ssh-copy-id vivek@rhel7-aws-server
Turn off root user login
You can disable root user login for a better security. But prior to do so, you should verify if basic user login is accepted.
Turn off password login
Another best practice for increased security is to disable password login, and enable public key logins with the following command:
AuthenticationMethods publickey
PubkeyAuthentication yes
Create user access restrictions
It is best to permit only root, vivek and jerry users to access the system in SSH. Therefore, add the following rule:
AllowUsers vivek jerry
And create the following rule to prevent unauthorized access:
DenyUsers root saroj anjali foo
Forbid empty password authorization
Remote login to the server must not be done with an account that has an empty password. Create a rule to prevent this similar to:
PermitEmptyPasswords no
Create a rule to comply to strong passwords for SSH
A great method for keeping an OpenSSH server secure is to allow users to create only strong passwords. You can put in place a password generator for an extra layer of security.
Update iptables
It is always best for the Firewall SSH TCP port #22 to be up to date at all times, and have the suitable configurations for security measures.
Keep in mind that this type of server should allow only connections from a LAN or WAN site.
Prevent extended IP binding
SSH has as its default configuration receiving data from all available IP addresses on the system. Preventing port binding and changing the SSH port can create an extra layer of security, which will be harder to breach.
Benefit from TCP wrappers
Even though this is not quite essential to have, a TCP Wrapper can be helpful for filtering network access.
Use Brute Force
This is a technique of counteracting cryptographic scheme via a wide array of possibilities for a distributed network.
Brute Force attacks can be prevented with software such as DenyHosts, or SSHGuard.
OpenSSH security measures
Additional 10 OpenSSH security measures
- Prevent incoming traffic at TCP Port #22
- Enable port knocking
- Enable idle log out timeout
- Create a warning for SSH users
- Disable insecure access with RSH
- Disable host-based login
- Install the latest security updates
- Prevent users from stepping outside their home directories via Chroot OpenSSH
- Disable OpenSSH server for clients that dont need it
- Consider keychain based verification.