Tuesday, September 3, 2013

SSH - Securing

SSH V2 Configuration


SSH supports SSH1 and SSH2 protocols. SSH2 is more advanced and secured when compared with SSH1.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
Protocol 2

VERBOSE Parameter


The VERBOSE parameter is used to record login and logout activity in SSH. This will be helpful in incident handling.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
LogLevel VERBOSE

X11Forwarding Parameter


The X11Forwarding parameter specifies the ability to tunnel X11 traffic through the connection to enable remote graphic connections. It is possible to compromise the X11 servers of users who are logged in via SSH with X11 forwarding by other users on the X11 server. Disable X11 forwarding if it is not used.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
X11Forwarding no

MaxAuthTries Parameter


The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. The MaxAuthTries parameter will minimize the risk of successful brute force attacks to the SSH server and improve the linux security.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
MaxAuthTries 4

IgnoreRhosts Parameter


The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. This parameter forces users to enter a password when authenticating with ssh.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
IgnoreRhosts yes

HostbasedAuthentication Parameter


The HostbasedAuthentication parameter specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed. Disabling the ability to use .rhosts files in SSH provides an extra layer of protection.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
HostbasedAuthentication no

PermitRootLogin Parameter


The PermitRootLogin parameter specifies whether root can login using SSH. Disabling root logins over SSH requires adminstrators to authenticate using their own account, then escalating to root via sudo or su. This provides a clear audit trail in the event of a security incident and improves the linux security.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
PermitRootLogin no

PermitEmptyPasswords Parameter


The PermitEmptyPasswords parameter specifies whether the server allows login to accounts with empty password strings. Disallowing login with empty password reduces the probability of unauthorized access to the system.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
PermitEmptyPasswords no

PermitUserEnvironment Parameter


The PermitUserEnvironment parameter specifies users to present environment options to the ssh daemon. Alowing users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
PermitUserEnvironment no

Use of Strong Ciphers in Counter Mode


This parameter limits the types of ciphers that SSH can use during communication. This is prevent the man-in-middle attacks.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
Cipher aes128-ctr,aes192-ctr,aes256-ctr

Idle Timeout Interval Parameter


TheClientAliveInterval and ClientAliveCountMax parameter controls the timeout of ssh sessions. Setting the timeout value associated with a connection could prevent an unauthorized user access to another user’s ssh session.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
ClientAliveInterval 300
ClientAliveCountMax 0

Restrict Access via SSH


There are several options available to restrict which users and group can access the system via SSH.

AllowUsers
The AllowUsers parameter provides the administrator the option of allowing specific users to ssh into the system. This keyword can be followed by a list of user names, separated by spaces.
AllowGroups
The AllowGroups parameter provides the administrator the option of allowing specific groups to ssh into the system. This keyword can be followed by a list of user names, separated by spaces.
DenyUsers
The DenyUsers parameter provides the administrator the option of denying specific users to ssh into the system. This keyword can be followed by a list of group names, separated by spaces.
DenyGroups
The DenyGroups parameter provides the administrator the option of denying specific groups to ssh into the system. This keyword can be followed by a list of group names, separated by spaces.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>

SSH Login Banner


The Banner parameter specifies a file whose contents are sent to the remote user before authentication is allowed.

Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
Banner <bannerfile>

sshd_config Permissions


The /etc/sshd_config file should be protected from unauthorized access. The ownership and file permissions should be properly configured.

Solution:
# chown root:root /etc/sshd_config
# chmod 644 /etc/sshd_config

No comments:

Post a Comment