SSH Best Practices

SSH Best Practices

In organizations it is very imporant to follow best practices while implementing SSH. We want to be able to login to machines using SSH which provides security but at the same safety from external hackers should be ensured. Once the SSH servers are hacked critical data can be compromised, and once an attacker gains access to SSH private keys, they can use these keys to authenticate and gain unauthorized access to servers or systems protected by those keys. Attackers with access to compromised SSH keys can modify or delete critical files, install backdoors, disrupt services, or even cause irreversible damage to the system. Security breaches resulting from compromised SSH keys can damage the organization's reputation, leading to financial losses, legal liabilities, and potential regulatory consequences. Therefore it becomes very significant to deploy best safety practices.

  1. Key-based authentication: Instead of relying on passwords, use key-based authentication for SSH connections. Generate a key pair using ssh-keygen (if you haven’t already), and then copy the public key (~/.ssh/id_rsa.pub) to the remote server's ~/.ssh/authorized_keys file.
  2. Use strong passphrases for keys: If you choose to set a passphrase for your SSH key (which is recommended), make sure it's a strong and unique passphrase. This is asked when you are generating keys using ssh-keygen
  3. Disable SSH root login: In your SSH server configuration file (usually located at /etc/ssh/sshd_config), set PermitRootLogin no to prevent direct root logins via SSH. This enhances security by forcing users to log in as a regular user and then use sudo to perform administrative tasks.
  4. SSH port change: Consider changing the default SSH port (port 22) to a non-standard port. This can help reduce automated attacks targeting the default port. Update the Port directive in /etc/ssh/sshd_config and restart the SSH service
  5. Limit SSH access: If possible, restrict SSH access to specific users or groups. You can utilize the AllowUsers, AllowGroups, or DenyUsers directives in the SSH configuration file.
  6. Firewall rules: Implement firewall rules (using tools like ufw on Linux) to allow SSH access only from trusted IP addresses or networks
  7. SSH session timeouts: Configure SSH session timeouts to automatically disconnect idle sessions after a specified period. Use the ClientAliveInterval and ClientAliveCountMax options in /etc/ssh/sshd_config to manage this.
  8. Two-factor authentication (2FA): Consider implementing 2FA for SSH, which adds an extra layer of security. Tools like Google Authenticator or Duo can be integrated with SSH.
  9. Use SSH certificates: Instead of traditional SSH keys, consider using SSH certificates, which provide more control and better security management over authentication.
  10. Use a bastion host: A bastion host is a computer specifically designed to withhold malicious traffic and attacks from a network. The bastion is exposed on a public network and hosts a single application. Other services are limited to reduce the threat to the computer.The bastion hosts are highly exposed to the public, and their existence is well-known on the Internet. A bastion host is often the first point in the network, right before the firewall. It protects the systems behind it.Setting up a bastion host may help boost security and safeguard your system when two channels establish an SSH connection
  11. Audit logs and monitoring: Enable SSH logging (LogLevel VERBOSE in sshd_config) and regularly review SSH logs for any suspicious activities. Additionally, consider implementing monitoring solutions to alert you of any unusual SSH login attempts.
  12. Periodic key rotation: Regularly rotate SSH keys and disable any unused keys to prevent potential misuse by unauthorized entities.

Conclusion: By combining these practices, you can significantly improve the security posture of your SSH servers and reduce the risk of unauthorized access or hacking attempts. Remember, security is an ongoing process, and it's crucial to stay vigilant and adapt to emerging threats by keeping systems up-to-date and continuously improving security measures.

To know more about setting up an SSH lab and that too using Docker please consider my previous article Setting up an SSH Lab using Docker. To know more about setting up a SSH bastion host this article from teleport is useful.

Sourabh Dhingra

《Senior SDET》Python | Javascript | Java | Scala | Rest API | Microservices | Automation Innovator | Continuous Testing | Web Development | Leading with Quality

9 个月
回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了