OpenSSH (OpenSecureShell) is a set of applications that allow encrypted communications over a network, using the protocol SSH. It was created as a free and open alternative to the program Secure Shell, which is proprietary software. « Wikipedia.
Some users may think that good practices should only be applied on servers and this is not the case. Many GNU / Linux distributions include OpenSSH by default and there are a few things to keep in mind.
Security
These are the 6 most important points to keep in mind when configuring SSH:
- Use a strong password.
- Change the default port of SSH.
- Always use version 2 of the SSH protocol.
- Disable root access.
- Limit user access.
- Use key authentication.
- Other options
A strong password
A good password is one that contains alphanumeric or special characters, spaces, upper and lower case letters... etc. Here in DesdeLinux We have shown several methods to generate good passwords. Can visit this article y this other.
Change the default port
The default port for SSH is 22. To change it, all we have to do is edit the file / Etc / ssh / sshd_config. We look for the line that says:
#Port 22
we uncomment it and change the 22 for another number .. for example:
Port 7022
To know the ports that we are not using in our computer / server we can execute in the terminal:
$ netstat -ntap
Now to access our computer or server we must do it with the -p option as follows:
$ ssh -p 7022 usuario@servidor
Use Protocol 2
To make sure that we are using version 2 of the SSH protocol, we must edit the file / Etc / ssh / sshd_config and look for the line that says:
#Protocol2
We uncomment it and restart the SSH service.
Do not allow access as root
To prevent the root user from being able to access remotely via SSH, we look in the file/ Etc / ssh / sshd_config the line:
#PermitRootLogin no
and we uncomment it. I think it is worth clarifying that before doing this we must make sure that our user has the necessary permissions to perform administrative tasks.
Limit access by users
It also does not hurt to allow access via SSH only to certain trusted users, so we return to the file / Etc / ssh / sshd_config and we add the line:
AllowUsers elav usemoslinux kzkggaara
Where obviously, the users elav, usemoslinux and kzkggaara are the ones that will be able to access.
Use key authentication
Although this method is the most recommended, we must take special care because we will access the server without entering the password. This means that if a user manages to enter our session or our computer is stolen, we can be in trouble. However, let's see how to do it.
The first thing is to create a pair of keys (public and private):
ssh-keygen -t rsa -b 4096
Then we pass our key to the computer / server:
ssh-copy-id -i ~/.ssh/id_rsa.pub elav@200.8.200.7
Finally we have to have uncommented, in the file / Etc / ssh / sshd_config the line:
AuthorizedKeysFile .ssh/authorized_keys
Other options
We can reduce the waiting time in which a user can successfully log into the system to 30 seconds
LoginGraceTime 30
To avoid ssh attacks through TCP Spoofing, leaving the encrypted alive on the ssh side active for a maximum of 3 minutes, we can activate these 3 options.
TCPKeepAlive no ClientAliveInterval 60 ClientAliveCountMax 3
Disable the use of rhosts or shosts files, which for security reasons are urged not to be used.
IgnoreRhosts yes IgnoreUserKnownHosts yes RhostsAuthentication no RhostsRSAAuthentication no
Check the effective permissions of the user during login.
StrictModes yes
Enable separation of privileges.
UsePrivilegeSeparation yes
Conclusions:
By doing these steps we can add extra security to our computers and servers, but we must never forget that there is an important factor: what's between the chair and the keyboard. That is why I recommend reading this article.
Source: HowToForge
Excellent post @elav and I add some interesting things:
LoginGraceTime 30
This allows us to reduce the waiting time in which a user can successfully log into the system to 30 seconds
TCPKeepAlive does not
ClientAlive Interval 60
ClientAliveCountMax 3
These three options are quite useful to avoid ssh attacks by means of TCP Spoofing, leaving the encrypted alive on the ssh side active for a maximum of 3 minutes.
IgnoreRhosts yes
IgnoreUserKnownHosts yes
HostsAuthentication no
HostsRSAAuthentication no
It disables the use of rhosts or shosts files, which for security reasons are urged not to be used.
Strict Modes yes
This option is used to check the effective permissions of the user during login.
UsePrivilegeSeparation yes
Enable separation of privileges.
Well, in a while I'll edit the post and add it to the post 😀
Uncommenting so as not to change the line is redundant. The commented lines show the default value of each option (read the clarification at the beginning of the file itself). Root access is disabled by default, etc. Therefore, uncommenting it has absolutely no effect.
Yes, but for example, how do we know that we are using only version 2 of the protocol? Because we could well be using 1 and 2 at the same time. As the last line says, uncommenting this option for example, overwrites the default option. If we are using version 2 by default, fine, if not, then we use it YES or YES 😀
Thanks for comment
Very good article, I knew several things but one thing that is never clear to me is the use of keys, really what they are and what advantages does it have, if I use keys I can use passwords ??? If so, why does it increase security and if not, how do I access it from another pc?
Greetings, I have installed debian 8.1 and I cannot connect from my windows pc to debian with the WINSCP, will I have to use protocol 1? any help .. thanks
bye
You may be interested in this video about openssh https://m.youtube.com/watch?v=uyMb8uq6L54
I want to try some things here, several I have already tried thanks to the Arch Wiki, others due to laziness or lack of knowledge. I'll save it for when I start my RPi