Tightening Security For SSH Server
by AndrzejL
When I was setting up my server while back I have noticed 100′s of entries in my /var/log/auth.log about failed login attempts from various IP’s with various logins. I wondered what it was, until I saw this:
Conclusions? There is at least one (wishful thinking…) bot out there which will scan the entire range of IP’s for open port 22, and will use some brute-force tool to try to crack it. Now that’s not a very positive conclusion for all the SSH users.
What can be done about this? There are three things you can do.
A) Forbid the root’s log in. That’s a default option in PCLinuxOS.
B) Install fail2ban via Synaptic.
C) Change the SSH port from 22 to something above 10100.
I use all of them.
Forbidding the root’s log in is a must. Root is the only 100% sure login on every Linux based system. Attackers don’t have to guess it. It’s there for sure. Now, all he has to do is to guess the password. Blocking root’s log in will force him to guess your user login and password. This is more difficult for them, and that’s the whole point.
PCLinuxOS uses interesting settings in its config files. If you look at the file /etc/ssh/denyusers, you will see that it contains the word root.
This setting is blocking all the attempts of root log in to your SSH server, and yet allows you to use su command for your convenience. Why? Even if the attacker knows the root password, he will not be able to log in. However, the user who is logged into the system via SSH can raise its privileges using the su command. This is secured and comfortable at the same time. Sometimes root’s privileges are necessary, so PCLinuxOS does allows you to gain root privileges, and yet you have to log in as a user and know the root’s password to gain full control over the machine.
Another method – Fail2ban – (you will find it in our repositories) will add a firewall rule to block all the attempts of connecting to the SSH port for a machine that unsuccessfully tried to log in X amount of times in Y time period. Example – xxx.yyy.zzz.uuu machine tried to log in with logins jack, ann, and mark three times in a 20 minutes period, so it got banned for an hour.
You can set X and Y in the fail2ban config file, /etc/fail2ban/jail.conf
Also, if you have a local email server configured, fail2ban will send you a message with notifications about new events.
Fail2ban will protect not only SSH, but also FTP, SFTP, and other protocols that are using authentication. It’s a very cool tool.
Another thing that you can do is to change the port of the SSH server. The next link is a video to show you how it’s done.
Changing Port For SSH Server Video
Why changing the port and why above 10100? The default port for SSH is port 22. All the script kiddies, aka skiddies, will use that port in their bots. Even if script kiddie is smart and scans your IP with port scanner like nmap, by default, he will scan first 10000 ports only. Setting up SSH above that will cause the port scanner to find ZIP, ZERO, NADA, BIG BOBKAS. Even if skiddy is smarter than that and he scans all the 65k ports, the open port will be shown as an unknown service. He would have to add a few more switches to the nmap to find out that it’s a SSH server. Skiddies are mostly lazy, and they are going after the easy prey. Making it just that little bit more difficult can be a blessing for your security.
So far, those three steps are what I have learned about securing SSH server. Maybe in the future, if I will learn something new I will add it in a new post.
Remember that even the weakest protection is better than no protection at all.