SSH V2 Configuration
SSH supports SSH1 and SSH2 protocols. SSH2 is more advanced and secured when compared with SSH1.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
Protocol 2
VERBOSE Parameter
The VERBOSE parameter is used to record login and logout activity in SSH. This will be helpful in incident handling.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
LogLevel VERBOSE
X11Forwarding Parameter
The X11Forwarding parameter specifies the ability to tunnel X11 traffic through the connection to enable remote graphic connections. It is possible to compromise the X11 servers of users who are logged in via SSH with X11 forwarding by other users on the X11 server. Disable X11 forwarding if it is not used.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
X11Forwarding no
MaxAuthTries Parameter
The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. The MaxAuthTries parameter will minimize the risk of successful brute force attacks to the SSH server and improve the linux security.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
MaxAuthTries 4
IgnoreRhosts Parameter
The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. This parameter forces users to enter a password when authenticating with ssh.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
IgnoreRhosts yes
HostbasedAuthentication Parameter
The HostbasedAuthentication parameter specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed. Disabling the ability to use .rhosts files in SSH provides an extra layer of protection.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
HostbasedAuthentication no
PermitRootLogin Parameter
The PermitRootLogin parameter specifies whether root can login using SSH. Disabling root logins over SSH requires adminstrators to authenticate using their own account, then escalating to root via sudo or su. This provides a clear audit trail in the event of a security incident and improves the linux security.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
PermitRootLogin no
PermitEmptyPasswords Parameter
The PermitEmptyPasswords parameter specifies whether the server allows login to accounts with empty password strings. Disallowing login with empty password reduces the probability of unauthorized access to the system.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
PermitEmptyPasswords no
PermitUserEnvironment Parameter
The PermitUserEnvironment parameter specifies users to present environment options to the ssh daemon. Alowing users the ability to set environment variables through the SSH daemon could potentially allow users to bypass security controls.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
PermitUserEnvironment no
Use of Strong Ciphers in Counter Mode
This parameter limits the types of ciphers that SSH can use during communication. This is prevent the man-in-middle attacks.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
Cipher aes128-ctr,aes192-ctr,aes256-ctr
Idle Timeout Interval Parameter
TheClientAliveInterval and ClientAliveCountMax parameter controls the timeout of ssh sessions. Setting the timeout value associated with a connection could prevent an unauthorized user access to another user’s ssh session.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
ClientAliveInterval 300
ClientAliveCountMax 0
Restrict Access via SSH
There are several options available to restrict which users and group can access the system via SSH.
AllowUsers
The AllowUsers parameter provides the administrator the option of allowing specific users to ssh into the system. This keyword can be followed by a list of user names, separated by spaces.
AllowGroups
The AllowGroups parameter provides the administrator the option of allowing specific groups to ssh into the system. This keyword can be followed by a list of user names, separated by spaces.
DenyUsers
The DenyUsers parameter provides the administrator the option of denying specific users to ssh into the system. This keyword can be followed by a list of group names, separated by spaces.
DenyGroups
The DenyGroups parameter provides the administrator the option of denying specific groups to ssh into the system. This keyword can be followed by a list of group names, separated by spaces.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
AllowUsers <userlist>
AllowGroups <grouplist>
DenyUsers <userlist>
DenyGroups <grouplist>
SSH Login Banner
The Banner parameter specifies a file whose contents are sent to the remote user before authentication is allowed.
Solution:
Modify the /etc/ssh/sshd_config file to set the parameter as below:
Banner <bannerfile>
sshd_config Permissions
The /etc/sshd_config file should be protected from unauthorized access. The ownership and file permissions should be properly configured.
Solution:
# chown root:root /etc/sshd_config
# chmod 644 /etc/sshd_config
No comments:
Post a Comment