Friday 10 August 2012

13 ways to make ssh more secure

13 ways to make ssh more secure
=========

If a customer asked us how can we make ssh more secure, you can advice the following methods to him.

1. tcp wrapper

Place the required entries in /etc/hosts.allow or  /etc/hosts.deny

2. Iptables You can make use of Iptables to allow access to the required IP

3. You can install 'sshdfilter'

It watch the log and make use of iptables to block the entry
please go to - http://gentoo-wiki.com/HOWTO_sshdfilter

4. You can install 'denyhosts'

It will check /var/log/secure and  blocked by being added to /etc/hosts.deny.

5. Change the default ssh port

Edit /etc/ssh/sshd_config
Port 54321

6. Disable insecure Protocol 1; allowing only Protocol 2

Edit /etc/ssh/sshd_config
Protocol 2

7.Disable root login

Edit /etc/ssh/sshd_config
PermitRootLogin no

8.Reduce MaxAuthTries Limit the maximum number of invalid login attempts

Edit /etc/ssh/sshd_config
MaxAuthTries 2

9.Reduce MaxStartups Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time

Edit /etc/ssh/sshd_config
MaxStartups 3

10.Reduce LoginGraceTime Reduce the maximum amount of time allowed to successfully login before disconnecting.

Edit /etc/ssh/sshd_config
LoginGraceTime 30

11. Allow only certain users or groups to connect

Edit /etc/ssh/sshd_config
AllowGroups sshusers
AllowUsers example1 example2 example3*

12. Allow users from only certain IP addresses to connect You can make use of /etc/hosts.allow and iptables for that.

Edit /etc/ssh/sshd_config
ListenAddress 192.168.1.10

13.Allow only users with keys to connect; no passwords allowed

Edit /etc/ssh/sshd_config
PasswordAuthentication no

No comments:

Post a Comment

Note: only a member of this blog may post a comment.