[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

This is an old revision of the document!


Improving OpenSSH security

OpenSSH is the swiss-army knife of remote-access programs: it provides you with a shell on your distant machine, and transmits data in a secure and encrypted way - including commands, file transfer, X11 and VNC sessions, rsync data, etc.

OpenSSH is so advanced that it can be considered as a simplified VPN (Virtual Private Network).

Slackware contains OpenSSH of course, and the default configuration is already pretty secure. This page has been created to show you a few simple configuration tweaks that can be applied to the default configuration to improve its security.

You will need to know how to use a text editor to be able to follow this HOWTO. If you are a complete beginner, try nano. Once you are more advanced, and more at ease with Linux, feel free to use something more powerful…

The SSH configuration files and finding more information

The OpenSSH configuration files reside in the directory /etc/ssh/. The most important one is the /etc/ssh/sshd_config that we are going to modify here.

The OpenSSH documentation is very good, so feel free to enter the command: apropos openssh or man -k openssh and read the different man pages, which are much more detailed than this wiki page.

Modifying the sshd_config file

The first rule, before you modify an important configuration file is to make a backup copy of it. For instance:

# cp -v /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG.20120826

The command shown above will make a copy of the sshd_config file, and append the extension .ORIG (for original, of course) and include a modification date. While not perfect, this system insures that you can always go back to the previous version of an important file by entering the following:

# cp -v /etc/ssh/sshd_config.ORIG.20120826 /etc/ssh/sshd_config

Please note that this is a suggestion, of course, and system administrators that have to manage large installation, with hundreds of servers, are strongly advised to investigate better solutions, such as Puppet or other distributed system configuration managers.

Now, edit the /etc/ssh/sshd_config file with your favourite editor and tweak the following lines:

Change the SSH default port

By default, OpenSSH listens on port 22. It is sometimes advised to change this default port to something different, such as 2222 or 4242. This is not a bad idea, but you have to remember that scanning your machine with a program such as nmap will obtain this new port very quickly. So, while it may slow down some attacks on your machine, it will not prevent them entirely.

If you'd like to change the port, search for the Port option in sshd_config, which is usually at the top of file, and change the value.

For instance:

Port 22

Can be changed to:

Port 4242

Forbid root access to your machine

This is probably the single most important change you can do to improve the security of your machine: forbid the root user to access your machine. To do this, look for the following line in sshd_config:

PermitRootLogin yes

And change it to:

PermitRootLogin no

If you apply the changes above, make sure you have at least one user on your machine that can su (switch user) to root or use sudo for more fine-grained system administration permissions. The best way to administrate a server through SSH is to have a user in the wheel group, who can use both sudo and su to become root when need be.

Since most people who try to get into your machine uninvited use brute-force scripts that target the root login, you can already rest a lot easier, knowing this access is locked.

Improve login security and timing

Above and below the PermitRootLogin option, you will find other permissions, that we are going to detail quickly here:

- LoginGraceTime is used to increase, or decrease, the time left to a user to log into the machine. This can be safely be restricted to 5 minutes, with the following:

LoginGraceTime 5m

- MaxAuthTries is used to increse, or decrease, the number of tries allowed to a user to authentify correctly to the machine. This can be restricted to 3 attempts by using:

MaxAuthTries 3

Deny X11 forwarding

Unless you need to use X11 over SSH, you can safely disable it by using the following option:

X11Forwarding no

Please note that disabling X11 does not disable VNC over SSH, for instance. In most cases, it is always a good idea to disable un-needed services.

Restrict SSH login to approved users

If you are sure only specific users need to connect through SSH to your machine, you can declare them using the AllowUsers option. All the users - and only the users - mentioned after the option will be able to connect through SSH to the machine.

AllowUsers jack backup betty

In the example shown above, only user jack, betty and backup will be able to use SSH to connect to the machine. All other users will be denied access. Of course, you should use this option with caution and make sure the (or “a”) default user is included…

Restart the SSH server

The last thing to do, to make sure the SSH server takes the new configuration into account, is to restart the SSH server with the command:

# /etc/rc.d/rc.sshd restart

Your new, and slightly more secure OpenSSH configuration is now in effect. Congratulations!

See Also

Sources

 howtos:security:ssh ()