SSH Security

Everyone who uses Linux operating system today knows about Secure Server Shell. Although it is named secure server shell, is it really Secure? The answer really depends on the configuration. Let us go through the steps involved in installing and configuring SSH with focus on making the system more secure and following good practises. In general, following are the good practises:

Use any port between 1024 and 65536 to listen for SSH connection
Disable root login
Allow users with a predefined list
Enable SSH access only through SSH keys and only use SSH keys
Use message to display legal notice during login
Monitor last login and last bad logins to track if some one tried to login
Block ICMP request

Installing SSH

In ubuntu operating system below is the command to install SSH service:

sudo apt-get install openssh-server

Once the installating is complete, the service starts listening on port 22. This can be verified by running port scan using nmap linux tool.

Good practise configuration

Port 7777
# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes # Untill SSH keys are setup
Banner /etc/issue
UsePAM yes

Now create a file /etc/issue with the legal message you want to display before login.

Then restart the ssh service to get the new configurations in effect: sudo services ssh restart

Setting up SSH Keys

There can be a pair of keys generated and used for authentication over SSH. One key is private while the other is public. The public key is pushed to server while the private key is kept somewhere safe on the client computer. In order to generate such a key, the command is:

ssh-keygen -t rsa

Then enter he passphrase and the file names. The passphrase is used to store the private file with some encryption on the local computer.

Once the files are generated, let us now push the public key to the server in which we want to login:

ssh-copy-id -i <mykey.pub> -p <port> <user>@<host>

The above command adds the public key to the server's .ssh/authorized_keys file

Then to login, simply enter

ssh -p <port> <user>@<host> -i <path_to_private_key>

Once you are able to login successfully, turn off the PasswordAuthentication to no in the config file described above.

Monitoring Last Logins

Last login and last back login attempt can be checked using the following command:

sudo last
sudo lastb

ICMP Request

While ICMP request can be used to probe if the system is active, someone can also use to do the same. Hence a right way to ensure a server is up is by installing a monitoring service that send heartbeats to some external service or system. I prefer to block all ICMP requests using IP tables and below are the commands to do so:

iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT         

iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT    

iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT 

iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT      

iptables -A INPUT -p icmp -i eth0 -j DROP

Troubleshooting an error

Sometimes, we get an error although we have followed all the steps described above to add the ssh key to remote server:

Agent admitted failure to sign using the key.
# Permission denied (publickey).

One of the possible reason is that SSH keys that are generated are not added to ssh-agent, to fix this follow the below steps:

# start the ssh-agent in the background
eval "$(ssh-agent -s)"
# Agent pid 59566
ssh-add ~/.ssh/<my_private_key>