Make Secure SSH

Published: November 05, 2014 by Galuh D Wijatmiko

• Categories:
• SecurityTunningAndHardening 22

• Tags:
• ssh 9

[1] Using Protcol 2, Default is protocol 1. /etc/ssh/sshd_config

Protocol 2

[2]Spesific Address Listen, Active

[3]Disable Direct root on ssh

PermitRootLogin no

[4]Disable empty Password

PermitEmptyPassword no

[5]Logout user after 15 minute if idle timeout

ClientAliveInterval 900
ClientAliveCountMax 0

[6]Minimalitation attack brute force, LoginGraceTime

LoginGraceTime 30

[7]Change Port

Port 1991

[8]Allow only user

AllowUsers replikasi wajatmaka

[9]restrict access to TCP services based on IP on TCP wrappers

before check libwrap,

ldd /usr/sbin/sshd | grep libwrap
sshd: 192.168.56.1/255.255.255.240 : allow
sshd: 192.168.56.1 : allow

[10]Using iptables for permit restrict accsess

#iptables -N SSH_RULE_WAJATMAKA
#iptables -A INPUT -p tcp –dport 1991 -m state –state NEW -j SSH_RULE_WAJATMAKA
#iptables -A SSH_RULE_WAJATMAKA -m recent –set –name SSH
#iptables -A SSH_RULE_WAJATMAKA -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP

#iptables -L

output:

Chain SSH_RULE_WAJATMAKA (1 references)
target     prot opt source               destination
all  –  anywhere             anywhere             recent: SET name: SSH side: source mask: 255.255.255.255
DROP       all  –  anywhere             anywhere             recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source mask: 255.255.255.255

[11]Using Strong Password

Set criteria password on PAM (the “pluggable authentication module”) /etc/pam.d/system-auth

[12]Use Private/Public Keys for SSH authentication

[13]Update Openssh Package

PermitEmptyPasswords no