SSH Security tips

To continue our series on SSH security, we should take a look at more options that can be set in ssh_config. Remember, SSH is one of the most secure methods of communicating with your server, but it needs to be configured correctly to provide the best security.

1. Timeout interval – Sometimes, users will log in to an SSH server and forget that they are logged in. Usually, this is not a problem, but there is a chance that the user might have been logged in from a public terminal or through a non-secure connection. In such a case, SSH should cause the login to time out after a certain period of inactivity. To set the timeout interval, edit your /etc/ssh/ssh_config file and set the following values:

ClientAliveInterval 300
ClientAliveCountMax 0

Now, after being logged in 300 seconds (or 5 minutes) with no activity, the user will be automatically disconnected from the server.

2. Root login – While there are rare cases when you might need to log in directly to your server as root (administrator), it is generally a bad practice. The acceptable Linux security practice is to log in as a regular SSH user and then “su” or “sudo” into root. In the /etc/ssh/ssh_config file, you can disable root logins so that, even if an attacker manages to somehow get your root password, he would not be able to log in with it. Edit the ssh_config file and add this value:

PermitRootLogin no

3. Empty Passwords – Having an SSH account with a bad password is a bad practice. Having an SSH account with no password at all is inviting trouble. Nevertheless, there are a few users who just do not like the inconvenience of passwords at all, so they change their password to nothing. An account with a blank password is, of course, the easiest to hack. To disable the users’ ability to have empty passwords, edit the ssh_config file and add:

PermitEmptyPasswords no

4. Use protocol 2. SSH protocol 1 is older and is generally less secure. You can disable it in your ssh configuration. Edit /etc/ssh/ssh_config and make sure you have the following line:

Protocol 2

5. Allow or deny specific users. You may have many users on your server, but not all of them will need SSH. Rather than leaving it open for everyone, you can allow or deny specific users. In the config file, add these lines:

AllowUsers root reggie olivia

Then, to deny marcus, samuel, and john, add this line:
 
DenyUsers jake rene xand

Linux User password policy

1. You can lock user account :
 #usermod -L abcuser
OR
# passwd -l abcuser

for unlock
 #usermod -U abcuser
OR
# passwd -u abcuser


2. Set retry limit for account lockout
#vim /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_tally.so no_magic_root

account     required      /lib/security/$ISA/pam_tally.so deny=3 no_magic_root lock_time=180

To display all failed login attempts, type:
faillog -a

To display failed logins for a particular user, type:
faillog -u username

To unlock a username after their maximum number of login attempts, type:
faillog -r -u username

3. Restrict root logins to system console
Comment out following line in file /etc/ssh/sshd_config and restart sshd service
PermitRootLogin yes