June 10, 2010

Three things to harden OpenSSH on Linux

The OpenSSH package comes installed on most Linux distributions; however, the default configuration has some potential security risks as it favors functionality over security. Here are a three things you can do to greatly reduce your attack foot-print.

1. Disable Listening on All Internal IP addresses

By default SSH comes pre-configured to listen on all IP addresses. The /etc/ssh/sshd_config file contains a line that reads: ListenAddress

Enter the IP address of the SSH server’s internal IP address. ListenAddress

This prevents SSH access from unauthorized interfaces.

2. Enable SSH 2 only

The SSH version 1 protocol contains many vulnerabilities that can allow an attacker to cause DoS attacks. SSH version 2 fixes many of these issues. The best bet to reduce the number of vulnerabilities is to configure the SSH server to accept version 2 only.

In the /etc/ssh/sshd_config file find:

Protocol 2,1

Remove the 1. This prevents the SSH server from accepting SSH version 1 requests.

3. Disable root Access

Disabling the root account from SSH access is the most important hardening process of them all. The reason for this is not because a user can make changes to the system or access restricted folders, but because it allows anonymity. Users can become sudoer and have access the root account has; however, there is accountability. In the /etc/ssh/sshd_config the root account can be disabled by changing the line that contains:

PermitRootLogin yes

Change the line to:

PermitRootLogin no