bsdnerds logo

bsdnerds.org

OpenSSH Server Security Practices

OpenSSH is the main connectivity tool for remote login via SSH protocol.

It is responsible for encrypting all traffic to prevent intrusions, connection hijacking or similar other attacks.

Besides, OpenSSH offers a wide array of security features, such as various authentication methods or top-notch configuration features.

Read on to find out the top 20 OpenSSH Sever best practices that will increase your security.

SSH public key login feature

OpenSSH comes with several authentication methods, the most efficient one being the public key login authentication. To set it up, you will have to use the ssh-keygen command. 

$ ssh-keygen -t key_type -b bits -C "comment"
$ ssh-keygen -t ed25519 -C "Login to production cluster at xyz corp"
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_aws_$(date +%Y-%m-%d) -C "AWS key for abc corp clients"

Afterwards, you can create the key via:

$ ssh-copy-id -i /path/to/public-key-file user@host
$ ssh-copy-id user@remote-server-ip-or-dns-name
$ ssh-copy-id vivek@rhel7-aws-server

Turn off root user login

You can disable root user login for a better security. But prior to do so, you should verify if basic user login is accepted.

Turn off password login

Another best practice for increased security is to disable password login, and enable public key logins with the following command:

AuthenticationMethods publickey
PubkeyAuthentication yes

Create user access restrictions

It is best to permit only root, vivek and jerry users to access the system in SSH. Therefore, add the following rule:

AllowUsers vivek jerry

And create the following rule to prevent unauthorized access:

DenyUsers root saroj anjali foo

Forbid empty password authorization

Remote login to the server must not be done with an account that has an empty password. Create a rule to prevent this similar to:

PermitEmptyPasswords no

Create a rule to comply to strong passwords for SSH

A great method for keeping an OpenSSH server secure is to allow users to create only strong passwords. You can put in place a password generator for an extra layer of security.

Update iptables

It is always best for the Firewall SSH TCP port #22 to be up to date at all times, and have the suitable configurations for security measures.

Keep in mind that this type of server should allow only connections from a LAN or WAN site.

Prevent extended IP binding

SSH has as its default configuration receiving data from all available IP addresses on the system. Preventing port binding and changing the SSH port can create an extra layer of security, which will be harder to breach.

Benefit from TCP wrappers

Even though this is not quite essential to have, a TCP Wrapper can be helpful for filtering network access.

Use Brute Force

This is a technique of counteracting cryptographic scheme via a wide array of possibilities for a distributed network.

Brute Force attacks can be prevented with software such as DenyHosts, or SSHGuard.

OpenSSH security measures

Additional 10 OpenSSH security measures

  1. Prevent incoming traffic at TCP Port #22
  2. Enable port knocking
  3. Enable idle log out timeout
  4. Create a warning for SSH users
  5. Disable insecure access with RSH
  6. Disable host-based login
  7. Install the latest security updates
  8. Prevent users from stepping outside their home directories via Chroot OpenSSH
  9. Disable OpenSSH server for clients that don’t need it
  10. Consider keychain based verification.