OpenSSH is the main connectivity tool for remote login via SSH protocol.
It is responsible for encrypting all traffic to prevent intrusions, connection hijacking or similar other attacks.
Besides, OpenSSH offers a wide array of security features, such as various authentication methods or top-notch configuration features.
Read on to find out the top 20 OpenSSH Sever best practices that will increase your security.
OpenSSH comes with several authentication methods, the most efficient one being the public key login authentication. To set it up, you will have to use the ssh-keygen command.
$ ssh-keygen -t key_type -b bits -C "comment" $ ssh-keygen -t ed25519 -C "Login to production cluster at xyz corp" $ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_aws_$(date +%Y-%m-%d) -C "AWS key for abc corp clients"
Afterwards, you can create the key via:
$ ssh-copy-id -i /path/to/public-key-file [email protected] $ ssh-copy-id [email protected] $ ssh-copy-id [email protected]
You can disable root user login for a better security. But prior to do so, you should verify if basic user login is accepted.
Another best practice for increased security is to disable password login, and enable public key logins with the following command:
AuthenticationMethods publickey PubkeyAuthentication yes
It is best to permit only root, vivek and jerry users to access the system in SSH. Therefore, add the following rule:
AllowUsers vivek jerry
And create the following rule to prevent unauthorized access:
DenyUsers root saroj anjali foo
Remote login to the server must not be done with an account that has an empty password. Create a rule to prevent this similar to:
A great method for keeping an OpenSSH server secure is to allow users to create only strong passwords. You can put in place a password generator for an extra layer of security.
It is always best for the Firewall SSH TCP port #22 to be up to date at all times, and have the suitable configurations for security measures.
Keep in mind that this type of server should allow only connections from a LAN or WAN site.
SSH has as its default configuration receiving data from all available IP addresses on the system. Preventing port binding and changing the SSH port can create an extra layer of security, which will be harder to breach.
Even though this is not quite essential to have, a TCP Wrapper can be helpful for filtering network access.
This is a technique of counteracting cryptographic scheme via a wide array of possibilities for a distributed network.
Brute Force attacks can be prevented with software such as DenyHosts, or SSHGuard.
Additional 10 OpenSSH security measures
- Prevent incoming traffic at TCP Port #22
- Enable port knocking
- Enable idle log out timeout
- Create a warning for SSH users
- Disable insecure access with RSH
- Disable host-based login
- Install the latest security updates
- Prevent users from stepping outside their home directories via Chroot OpenSSH
- Disable OpenSSH server for clients that dont need it
- Consider keychain based verification.