# Best practice for securing ssh

## mitchy

I have SSH open on my system, but would like to ensure I'm doing so in the most secure method.  So far I've done the following:

Configured SSH to use a non-standard port

Configured SSH to disallow root logins

Configured SSH to allow a max of 3 retries

Emerged denyhosts and configured it to add IPs to the /etc/hosts.deny list that have more than 5 failed login attempts

Are there any other items I should consider doing to help better secure my system?  Items I'm considering are:

Requiring the use of a private key when logging in

Thanks

----------

## tarpman

Disable password authentication completely, and use a DSA key (ssh-keygen -t dsa) with a strong passphrase for logging in.

----------

## mitchy

Does leaving password authentication turned on help at all?  I'm guessing using a key with a good passphrase is stronger than just a password, but are both even better?  Also, any other changes to my sshd_conf I should consider?

----------

## linear

If you really want security, have you considered port-knocking?

The net-misc/knock package?

HTH.

----------

## mitchy

I've read some about the port knocking as well, but am not sure if I will set it up or not.  I purposely left it off my question to see if people would suggest using it or not.  I'm interested in your opinion on how far to go here (seems like there is a wide range of schemes people use, from simple to very complex).

----------

## vaguy02

I use a program called fail2ban (in the portage) it's pretty good, easy to configure automatically blocks an ip address after 3 failed attempts to SSH into the box. You can configure how long the ban is effective for, etc.

Robert

----------

## mitchy

I decided to require a key for ssh as that sounds like it's the most secure.  Also just an FYI for other n00bies out there, I think I answered my question about about keeping password authentication enabled as well.  If you do that, then people have a choice on how to log in - either using a password or using a key with passphrase.  Allowing both really defeats the extra security of using the key.  It also appears that disabling the password authentication removes the need for using something like denyhosts or fail2ban.

----------

## djdunn

RSA is more secure than DSA.  If i remember right the SHA-1 thing obliterated DSA's security im not sure if they still use SHA-1 in DSA but i dont use DSA anymore because of it.  Plus if you use GnuPG your RSA key can also can be used for encryption.

----------

## mitchy

djdunn, thanks for reminding me - I originally was going to go with DSA as recommended above, but I read that RSA is more secure than DSA.  So to summarize the changes I've now made:

Configured SSH to use a non-standard port

Configured SSH to disallow root logins

Configured SSH to require the use of a private key

Configured SSH to disallow password only logins

Using an RSA key (instead of DSA)

I decided not to go with a port-knocking package yet, but am still investigating...

----------

## djdunn

i edited above you caught me quick

but you can use the gpg-agent to use gpg keys for ssh

gnupg is really nice you can start signing emails get a separate RSA key to encrypt email.  I wish the whole world would start signing emails.

----------

## darkphader

 *mitchy wrote:*   

> 
> 
> Configured SSH to use a non-standard port
> 
> Configured SSH to disallow root logins
> ...

 

Not sure how important one key type vs another is unless you feel that someone is sniffing your network - and if they're doing that then changing ports is superfluous. Adding extra packages, like denyhosts, or using port knocking just seems like additional layers that could have their own security issues.

Having said that, basically I do the same plus adding the "AllowUsers" statement to sshd_config to only allow access by specific users. My networks are fronted by OpenBSD firewalls running PF and only the firewalls allow such access from any IP. To get to inside systems one must either source from specific IP addresses or first authenticate via OpenBSD's authpf; this way I can basically secure access via less secure mechanisms such as VNC.

In case I'm on the local network and for any reason my private key is not available I do allow local access to the firewall via password authentication using the "Match Address" feature of ssh - Example:

```
Match Address 192.168.99.*

        PasswordAuthentication yes
```

Of course, I don't expect any hacking attempts to come from within the local subnet. Your situation may be different.

Chris

----------

## timeBandit

 *mitchy wrote:*   

> It also appears that disabling the password authentication removes the need for using something like denyhosts or fail2ban.

 Mostly...but even with key-only logins and a non-standard port, such a package is still useful. If nothing else, when a script kiddie finds you and hammers your SSH port, banning him kills the noise that would otherwise accumulate in your system log.

I'm set up pretty much the way you've planned, with the additional requirement of an AllowGroups restriction in sshd_config.

----------

## mitchy

Thanks darkphader, it's helpful to hear someone else's setup.  I currently only have one system, so all ssh will be from external IPs that will use my key, but that's a nice trick in case I get another box in the future.  My system is really just for personal use and is behind a router only (no software firewall).  Do you recommend also running a software firewall on my system?  I will also probably give my wife an id on the system in case she needs to get on it, but will not allow her id ssh privileges.  So I think I'll end up using the AllowUsers to do handle that as well.

----------

## mitchy

Thanks for the info timeBandit.  I don't expect that switching to a non-standard SSH port will do much, but I figure that it's an easy change that at least has the possibility to filter out some basic attacks.  It's like moving your front door to the back - anyone who really wants to get in can still find the door.  All this is still fairly new to me though, so it's good to have the discussion and really understand what each setting gets me.

----------

## darkphader

 *mitchy wrote:*   

> Do you recommend also running a software firewall on my system?

 

I can only say that I don't. I think they're more trouble than they're worth. But again, I have a nice secure box in between the internal networks and the world.

As a note, when I ran ssh on the standard port I had lots of logged hack attempts. Since changing to a non-standard port - on 6 different networks I administer, three years ago, I have seen no, none, nothing, I mean absolutely zero, hack in attempts. Basically, unless someone really wants you, that is, unless you, or your firm are a predetermined valuable target, you are unlikely to see any activity. The non-standard port stops the nonsense, the bots that are looking for easy prey - they just don't check all the ports on every system. YMMV

Chris

----------

## timeBandit

 *darkphader wrote:*   

> As a note, when I ran ssh on the standard port I had lots of logged hack attempts. Since changing to a non-standard port - on 6 different networks I administer, three years ago, I have seen no, none, nothing, I mean absolutely zero, hack in attempts. ...The non-standard port stops the nonsense, the bots that are looking for easy prey - they just don't check all the ports on every system.

 

Thanks for that info, I've been giving the bots (and "conventional wisdom") too much credit. I edited my earlier post--no sense making life easier for any script-writing slime who stumble onto this.  :Laughing: 

----------

## Ox-

I administered a cluster of 5 gentoo machines for about 6 years.  These machines were used for a game service, which means they were subject to specific direct attacks (i.e. not just script kiddies scanning standard SSH port). There were only two outward facing services: ssh and the port for gaming service.  For five years I ran with:

* no firewall

* no denyhosts

* ssh with disallow root and private key only

The only time I did an emerge was for new versions of ssh.

During that last year the servers had high traffic so I finally ran iptables to stop DoS attacks and I used port knocking for SSH.  I was real happy with the port knocking solution, but I was the only user on the machine. Once I had knocking set up I then let nessus and https (for cacti and mysqladmin) run full time on an outward facing port.

My machines were never hacked, even when some "unadministered" machines on the same subnet were hacked though a php forum app, and my private keys were on those machines.

At my current workplace I run denyhosts on my desktop machine, for the first time ever, but that's just because it's my desktop.  Ends up it only bans two or three IP's a day so now I don't think it's even worth running.

----------

## deathcon1

I'm using a package called 'denyhosts' it's in Portage to secure my server against bots.  Look into it as an added layer of security, there's too much you can do with it to explain here, but I'll try to summarize:

-can ban ip's for X days after Y failed login attempts, customizeable for per-account

-can download/upload IP's to be blocked from a central server that other users of Denyhosts connect to

-automagically takes care of IP's so after X time delay the IP gets unblocked.

----------

## djdunn

first of all script kiddies or worse are always sniffing networks and ip addresses i get hit by one or two ever week.

you want to be really safe get a really old pentium 2 or 3 computer like the one you had before you bought this one.  put two nics in it a 5 gig or whatever size HD you have in it and throw in a floppy get a cheap switch.  get the network install of OpenBSD all it takes is 1 3.5" floppy and install OpenBSD on it.  OpenBSD had only two remote vulnerabilites on the last 10 years.  set up the openBSD ps firewall based on a deny all system and open up only what you need, which is 210% better than iptables port knocking behind.

the power of openbsd it comes out of the box locked down like a frogs behind in a watermelon seed fight

----------

## machinelou

I have a question about using private keys only for logging in.  To login from a semi-public computer (e.g., a work computer that might occasionally be shared by others), is it best practice to carry your key around on a USB stick (maybe with putty configured to use your key) and login that way?  It just seems pointless if you end up leaving your key on some computer's harddrive or cache.

----------

## tarpman

 *machinelou wrote:*   

> I have a question about using private keys only for logging in.  To login from a semi-public computer (e.g., a work computer that might occasionally be shared by others), is it best practice to carry your key around on a USB stick (maybe with putty configured to use your key) and login that way?  It just seems pointless if you end up leaving your key on some computer's harddrive or cache.

 

Hence the use of a strong passphrase - in the worst case scenario it is no less secure than password authentication, and in the majority of scenarios significantly better.

You shouldn't need to copy your key onto the hard drive anyway - PuTTy is perfectly capable of opening it right from the USB stick.

----------

## GNUtoo

and also be carefull to security bugs

for instance the last security bug on openssl is problematic because it could permit someone to take the control of your system(https://forums.gentoo.org/viewtopic-t-595676.html)

mabe someone should write some program to warn users when there is a new glsa...but i don't think the following thing is a good idea(because of huge traffic on the announces page of the forum)

->scrape the announce page

->display the new anouncements in the tray(with gtk2/libegg whatever)

i have also a question on ssh...

i use one time passwords...but how do i need to setup denyhost to match failled attempt on one time passwords?

----------

## tarpman

 *GNUtoo wrote:*   

> mabe someone should write some program to warn users when there is a new glsa...

 

You mean something like glsa-check(1)?

----------

## GNUtoo

 *tarpman wrote:*   

>  *GNUtoo wrote:*   mabe someone should write some program to warn users when there is a new glsa... 
> 
> You mean something like glsa-check(1)?

 

no i don't.

the problem with glsa-check is that you need to syncronise portage to see the security bugs

----------

## mitchy

I just setup a cron job to first sync my portage tree once a day, and then run a glsa script.  I modified the script a little so that I get a nice e-mail each day either listing security issues or telling me I have zero issues.

----------

## mv

 *darkphader wrote:*   

> Adding extra packages, like denyhosts, or using port knocking just seems like additional layers that could have their own security issues.

 

One can implement a simple portknocking solution using only iptables.

----------

