On this article we will talk about a very popular service which is SSH or secure shell. As this is widely used services so this service needs to be secure more than any other services. Now a day most of the system administrator emphases on this service a lot. So we should know about this service better.
Usually centos or redhat OS have this package installed, but if this is not installed then we can install it by running the below command.
#yum install openssh* -y
Once the whole process is done, we are ready to start securing our SSH.
The first thing we should do is deny root login. For doing this we need to open sshd_config file. So run the below command.
#vi /etc/ssh/sshd_config
Now on this file find the line shown below.
PermitRootLogin yes (this line will be commented with a # tag at the front of this line.)
Now copy this line and paste it or write the whole thing.
PermitRootLogin no
Once this is done, we should look for another line mentioned “port 22”. Now change that line with other number that 22. Because we all know that SSH runs on port 22 so most of the attacks may come on port 22 first. If we have our filrewall-cmd running that we need to give some firewall rule to allow the edited port otherwise it is fine.
With this we should ensure that nobody can without an empty password. Because it is quite possible the system administrator may leave a user password as null character. If system admin does such mistake still that user should not be permitted to access server without password. In such situation our SSH is not totally secure, so we should disable empty password login. For this we have to add a line on the configuration file.
PermitEmptyPasswords no
Now if we have few SSH users then we can limit the number of users for access. By this we can ensure that only few users can access this service and we can mention tty session for every user. but here we will first define the users that are allowed to access this service and the rest will be denied. For this we have to add two lines on configuration file.
AllowUsers user1 user2 user3
DenyUsers *
If we configure these lines according to above then we will see that only user1 user2 user3 will be able to access SSH service and the rest of the users not be able to access.
Now on this situation a system admin may want to bind a user with a tty for even more accuracy and history checking. So if we want to do so then it is quite easy task for a system admin. Suppose I would like to bind user1 to tty3 and tty4. So I have to add the below line on the /etc/security/access.conf file.
#vi /etc/security/access.conf
-:user1: tty3 tty4 LOCAL
Now it is also necessary to limit the tty session for this service. This would help keep a trace for further audit.
For this we have to declare a PAM on two files first. Then we have to put a line on /etc/security/limit.conf. What are the files we have to declare the PAM!
- /etc/pam.d/sshd
- /etc/pam.d/system-auth
Now open the first file and add the line on the session section.
#vi /etc/pam.d/sshd
session required pam_limits.so
now save and exit the file. Then open the second file and add the same line on session section.
#vi /etc/pam.d/system-auth
session required pam_limits.so
now save and exit this file too.
Here we have to work on /etc/security/limit.conf file. So we have to open it and exit just one line to make it work.
#vi /etc/security/limit.conf
User1 – maxlogins 5
Now save and exit the file.
After all those work is done we finally can restart the sshd service. For that we need to run the below command.
#systemctl restart sshd
Finally we can say that we have a secure SSH server for the system engineers or system administrators.
