HOWTO: SSHd Linux Harding

srgeneral · 05-12-2008, 04:23 PM

For maximize the server security disable the DIRECT ROOT LOGIN in your SSHd.

1. add a new normla user in your server and assign a new password (like use a long password and use numbers and letters).

[root@servername ~]# adduser USERNAME

[root@servername ~]# passwd USERNAME

And insert the your password.

2. Go in the SSHd Config and change the configuration for don't allowed a DIRECT ROOT LOGIN.

[root@servername ~]# cd /etc/ssh/

[root@servername ~]# nano sshd_config (or use another editor pico o vi)

search in the config this text

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

and change

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

3. Sava this config and restard a SSHd.

[root@servername ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

If you try to login with a root user received an error, for login use your new user and for up with a root user use a comand su -

Shayan · 05-13-2008, 10:51 AM

Great post. Preventing illegitimate SSH access to a dedicated server is one of the most important, if not the most important, hack-prevention measures you can take.

GarethNelson · 05-14-2008, 04:58 AM

More advice:
First, keep your session running and simply HUP the sshd if you can. Then test another login on a different terminal to verify it's still working.

Try running SSH over a different port, or even run a VPN and use telnet.Telnet is actually more secure in some ways than SSH contrary to popular belief (aside from the plaintext over network issue). Here's why:

With telnet, authentication is based on just 1 sequence of bytes with only 2 possible outcomes: it works or it doesn't work. This sequence of bytes passes across the TCP stream and straight into a tty. However, with an sshd the sequence of bytes passes off the network, through a very complex series of negotiation steps and then directly into the authentication system. All the 1000s of lines of code that handle authentication in sshd with all the various different buffers and branches leads to a vastly increased probability of somewhere having a potential bug and thus exploits.

Greg Hoglund and Gary McGraw wrote in "Exploiting software: how to break code" about what they call the trinity of trouble - complexity, extensibility, and connectivity. SSH is one protocol that though nicely audited in the OpenSSH implementation has all 3. This is one reason why on trusted networks I personally always run telnet, and on untrusted networks I keep an eye out for any new exploits.

net · 06-23-2008, 10:40 AM

Quote:

Originally Posted by GarethNelson

This is one reason why on trusted networks I personally always run telnet, and on untrusted networks I keep an eye out for any new exploits.

That could work, although you can never be too cautious also on your trusted networks.

05-12-2008, 04:23 PM	#1 (permalink)
srgeneral Junior Member Join Date: May 2008 Location: Italy (Sardinia Island) Posts: 3	HOWTO: SSHd Linux Harding For maximize the server security disable the DIRECT ROOT LOGIN in your SSHd. 1. add a new normla user in your server and assign a new password (like use a long password and use numbers and letters). [root@servername ~]# adduser USERNAME [root@servername ~]# passwd USERNAME And insert the your password. 2. Go in the SSHd Config and change the configuration for don't allowed a DIRECT ROOT LOGIN. [root@servername ~]# cd /etc/ssh/ [root@servername ~]# nano sshd_config (or use another editor pico o vi) search in the config this text # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 and change #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 3. Sava this config and restard a SSHd. [root@servername ~]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] If you try to login with a root user received an error, for login use your new user and for up with a root user use a comand su - __________________ Marco Saiu SR General CEO m.saiu@srgeneral.com

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

05-13-2008, 10:51 AM	#2 (permalink)
Shayan Cari.net Staff Join Date: May 2008 Location: San Diego, California Posts: 15	Great post. Preventing illegitimate SSH access to a dedicated server is one of the most important, if not the most important, hack-prevention measures you can take.

05-14-2008, 04:58 AM	#3 (permalink)
GarethNelson Junior Member Join Date: May 2008 Location: the metaverse Posts: 15	More advice: First, keep your session running and simply HUP the sshd if you can. Then test another login on a different terminal to verify it's still working. Try running SSH over a different port, or even run a VPN and use telnet.Telnet is actually more secure in some ways than SSH contrary to popular belief (aside from the plaintext over network issue). Here's why: With telnet, authentication is based on just 1 sequence of bytes with only 2 possible outcomes: it works or it doesn't work. This sequence of bytes passes across the TCP stream and straight into a tty. However, with an sshd the sequence of bytes passes off the network, through a very complex series of negotiation steps and then directly into the authentication system. All the 1000s of lines of code that handle authentication in sshd with all the various different buffers and branches leads to a vastly increased probability of somewhere having a potential bug and thus exploits. Greg Hoglund and Gary McGraw wrote in "Exploiting software: how to break code" about what they call the trinity of trouble - complexity, extensibility, and connectivity. SSH is one protocol that though nicely audited in the OpenSSH implementation has all 3. This is one reason why on trusted networks I personally always run telnet, and on untrusted networks I keep an eye out for any new exploits.