June 10, 2010
Three things to harden OpenSSH on Linux
The OpenSSH package comes installed on most Linux distributions; however, the default configuration has some potential security risks as it favors functionality over security. Here are a three things you can do to greatly reduce your attack foot-print.
1. Disable Listening on All Internal IP addresses
By default SSH comes pre-configured to listen on all IP addresses. The /etc/ssh/sshd_config file contains a line that reads: ListenAddress 0.0.0.0
Enter the IP address of the SSH server’s internal IP address. ListenAddress 192.168.1.50
This prevents SSH access from unauthorized interfaces.
2. Enable SSH 2 only
The SSH version 1 protocol contains many vulnerabilities that can allow an attacker to cause DoS attacks. SSH version 2 fixes many of these issues. The best bet to reduce the number of vulnerabilities is to configure the SSH server to accept version 2 only.
In the /etc/ssh/sshd_config file find:
Remove the 1. This prevents the SSH server from accepting SSH version 1 requests.
3. Disable root Access
Disabling the root account from SSH access is the most important hardening process of them all. The reason for this is not because a user can make changes to the system or access restricted folders, but because it allows anonymity. Users can become sudoer and have access the root account has; however, there is accountability. In the /etc/ssh/sshd_config the root account can be disabled by changing the line that contains:
Change the line to: