Hardening SSH Service
This quick guide should work with any standard distribution of SSH for Linux or UNIX systems, fisrt we need to enforce that root user cannot login remotely, for that, we need to setup the service to user public-private key pair. We also need to create regula users with its own keys, let’s do that first:
cd ~/.ssh/ ssh-keygen -t rsa -b 2048 -f id_rsa
Running the above command you’ll be requested to input a pharsprase for your private key an confirm it, avoid leaving this blank to really protect your keys!
Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again:
When confirmation succeeds, you’ll get an output similar to the following:
Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: 6f:98:44:21:3f:31:22:11:41:fc:6a:92:56:27:9e:71 user@server
You now have two new files in
id_rsa (private key) id_rsa.pub (public key)
Now add the contents of
id_rsa.pub to the file
cat id_rsa.pub >> ~/.ssh/authorized_keys
Never leave your private key on the server, copy and keep it in a safe place, also make sure permissions are correct:
-rw------- 1 user user 398 2006-11-10 08:20 authorized_keys -rw------- 1 user user 1743 2006-11-10 08:22 id_rsa
Hardening SSH Service Configuration
We only have to edit one file:
Make sure the following parameters are as shown, if any line is missing, just add it at the end of the file!
Port 4422 # Use any random number here! PermitRootLogin no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeyFile %h/.ssh/authorized_keys ChallengeResponseAuthentication no PasswordAuthentication no
Port When talking about hardening something, always use non standard ports whenever it’s possible!
root user to login thrugh SSH Service.
RSAAuthentication Specifies whether pure RSA authentication is allowed. Use with protocol version 1 only.
PubkeyAuthentication Allow to user to authenticate with its keypair.
AuthorizedKeyFile Location where authorized public keys are stored.
ChallengeResponseAuthentication Option controls support for the “keyboard-interactive” authentication scheme defined in RFC-4256. The “keyboard-interactive” authentication scheme could ask a user any number of multi-facited questions. In practice it often asks only for the user’s password.
PasswordAuthentication Determines your ability to authenticate with a password via SSH.
After applying these changes you can restart your SSH service with something like
service sshd restart. Make sure the new configuration works and you are able to connect before closing the current session or you may lose access to your server!
With your secret key already in your localhost, first make sure the permissions of the file are correct with
chmod 600 ~/.ssh/id_rsa, then you can do:
ssh-keygen –p 4422 -i ~/.ssh/id_rsa user@server_ip
Thanks for reading!