Keeping SSH access secure
Posted by Steve on Wed 2 Feb 2005 at 13:13
There are several worms which attempt to exploit vulnerable SSH servers, by logging in to a host with a collection of usernames and passwords such as "admin/admin", "test/test", "root/root", etc. These shouldn't be of much concern if you're keeping good passwords, but there are simple ways to prevent them regardless.
The most obvious way to prevent people connecting to your host is to only allow connections from small number of IP addresses, by the use of a firewall.
If you're currently running a firewall you can add to it to :
- Accept incoming SSH connections from a trusted address.
- Drop all other connections.
Using the iptables firewall commands you can do this as follows:
# All connectsion from address 1.2.3.4 to SSH (port 22) iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT # Deny all other SSH connections iptables -A INPUT -p tcp --dport 22 -j DROP
If you're not running a firewall, or you don't wish to mess with the setup you can look at another way of restricting access. The Debian packages of openSSH are compiled with tcpwrappers support, which means you can specify which hosts are allowed to connect without touching your firewall.
The two important files are:
/etc/hosts.allow /etc/hosts.deny
The first can contain entries of hosts which are allowed to connect, the second contains addresses which are blocked.
Assuming that you wish to allow the remote addresses 1.2.3.x, and 192.168.0.x to connect but nothing else you would setup the files as follows. Firstly allow access by placing the following inside /etc/hosts.allow:
# /etc/hosts.allow sshd: 1.2.3.0/255.255.255.0 sshd: 192.168.0.0/255.255.255.0
Then disallow all further access by placing this in /etc/hosts.deny:
# /etc/hosts.deny sshd: ALL
Finally you can look at the ssh configuration itself, this has several useful security options you can enable.
The ssh server is configured by the file /etc/ssh/sshd_config. If you wish you can restrict remote access to specific users.
For example to only allow "bob" and "chris" to login add the following:
AllowUsers bob chris
With this setting in place (after the server has been restarted with "/etc/init.d/ssh restart") all other users will be unable to connect via SSH even if they login with the correct username and password.
You can also explicitly deny particular users:
DenyUsers badness paula
Probably the most important setting you can change in the sshd_config file is the following:
PermitRootLogin no
With this setting set to "no" remote root logins are denied.
[ Send Message | View Steve's Scratchpad | View Weblogs ]
# Logging SyslogFacility AUTH LogLevel INFODespite trying to log in with a bad username or password, I cannot find a "failed login" attempt in any of my /var/log/* files, what file is this logged to?
The logging is handled by syslog, so by default I'd expect you to find your information in /var/log/auth.*.
For a bad logins you should see something like this:
Failed password for root from x.x.x.x port 4204 ssh2
Is it possible to have ssh log all of its activity to /var/log/sssd.log?
If you dont want to use syslog you can modify the startup script for sshd. The "-e" flag will make it write all it's output messages to STDOUT, which you can redirect to a logfile of your own. I must admit I've not tried this though. ("man sshd" describes this and other sshd options:)
Thanks for the great site btw :P
Thanks :)
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
Hi Mr./Miss. Anonymous,
Whatever u r doing with SSH,a log of the same is getting created in /var/log/messages.
So,please go thru that file.
Hitesh
[ Parent | Reply to this comment ]
The above is true for Ubuntu. It may be logged to a different location on other distros..I'm not sure.
More information on LogLevel VERBOSE: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Log_Mor e_Information
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Running on a different port will stop you from receiving connections which just blindly connect to port 22 - but it will do nothing to protect you from somebody running a complete nmap scan - as that will recognise the service by the banner regardless of the port.
Port-knocking I'm still in two minds about ..
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
Thanks for nice article! :) Probably "firewall firewall" is a slight mistake.
Regards!
P.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Thanks, I've corrected that now.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
You can lock off all system access to anyone not defined as an end-user, and don't have to fiddle with the configuration each time you add a new customer/client to the system to specifically permit them access as all they need is group membership of the permitted end-user group.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
GermanyZulu
[ Parent | Reply to this comment ]
Thx. for replying .:-)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Blocking repeat SSH attacks with IPTables
I did notice though, since I'm running IPV6 that I see the IPV6 address, and that of course doesn't appear to block real well... I've been remiss in not rebooting my toy server since I was playing with IPV6 tunneling.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Enjoy
--
yarikoptic
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
It sends an email when anyone logs in.
Can be easyly changed to detect a specific user login.
Marcelo Correa
#!/usr/bin/perl # user_monitor.pl v0.4 :: keep track on who's logged in # Written by Stephan Schmieder - http://www.unix-geek.info, 2003 # Usage: ./user-monitor.pl& use strict; use warnings; use diagnostics; use Net::SMTP; #configuration my $server =`uname -a|cut -d" " -f2`; my $smtp_server ='localhost'; my $mail_to ='all_logins@gmail.com'; my $mail_from ='root@' . $server; my $subject ="$server :: User login monitor"; #configuration my @old_users=split(/\n/, qx/who/); while(sleep(60)) { my @users=split(/\n/, qx/who/); if(@users ne @old_users) { my $smtp = Net::SMTP->new($smtp_server); die "Couldn't connect to server" unless $smtp; $smtp->mail( $mail_from ); $smtp->to( $mail_to ); $smtp->data(); $smtp->datasend("Subject: $subject\n\n"); foreach my $user (@users) { $smtp->datasend("$user\n"); } $smtp->dataend(); $smtp->quit(); } @old_users=@users; }
[ Parent | Reply to this comment ]
AllowGroups sshgroup
addgroup --gid 250 sshgroup
adduser username sshgroup
restart ssh
now only the users listed in sshgroup can login
very simpel, works good.
[ Parent | Reply to this comment ]
On my system the file is ssh (not sshd).
Is there are difference between versions of debian?
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Nope, my mistake.
Steve
-- Steve.org.uk
[ Parent | Reply to this comment ]
thanks
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Looks like you're editing the right file /etc/ssh/sshd_config, and restarting it properly "/etc/init.d/ssh restart".
Why it is failing is hard to guess without seeing the changes you've made ..
Steve
--
[ Parent | Reply to this comment ]
i rebooted the system and my ssh settings changed, but still don't know why restarting from the command line didn't work.
i basically took the default config file and added/modified these lines:
Port 2222
PermitRootLogin no
AllowUsers user
thanks again,
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Mar 10 14:20:00 orso sshd[20106]: Invalid user monica from 202.62.73.20
Mar 10 14:20:05 orso sshd[20121]: Invalid user moni from 202.62.73.20
Mar 10 14:20:09 orso sshd[20127]: Invalid user molly from 202.62.73.20
etc. However when an existing user is hit, the error reads differently, namely reporting an "Authentication failure for ..." So common logins with weak passwords are assured to yield!
Fabrice.
[ Parent | Reply to this comment ]
# All connectsion from address 1.2.3.4 to SSH (port 22)
iptables -A INPUT -p tcp -m state --state NEW --source 1.2.3.4 --dport 22 -j ACCEPT
Why does this rule has ``--state NEW''? Don't we need to also allow ESTABLISHED packets? Without ESTABLISHED the rule didn't work for me -- when trying to login, I was seeing "Connection established" message, and then the client "froze", no password prompt.
BTW, there's a typo -- connectsions -> connections.
Thanks for the nice article,
Oleg
[ Parent | Reply to this comment ]
then i tried again without the restrictions and i can get to the place where it asks me to logon and i can type the user name but then it tells me that the server unexpectedly closed the connection.
any solution?
-btw im running an ubuntu server
[ Parent | Reply to this comment ]
Thanks a lot for posting 'keeping SSH access secure' this was very useful in configuring a critical production server using Red Hat Enterprise Linux.
Your article helped us in restricting SSH access for users which was not required.
Regards,
Manjunath Mariyappa
[ Parent | Reply to this comment ]
For the benefit of others, I found these instructions and used them to restrict ssh logons to my ISP's IP range. The first thing that you should know is that changes to hosts.deny and allow are immediate. You don't need to restart ssh.
That is a good thing, because you can check if you still have access before closing your current ssh session. In my case this was a life saver because the syntax for specifying a range here (1.2.3.4/255.255.255.0) didn't work. I was locked out. I eventually found that using the syntax:
sshd : ALL Except 1.2.3.*
in hosts.deny and nothing in hosts.allow worked for me.
[ Parent | Reply to this comment ]
[ Send Message | View Weblogs ]
I have put:
#deny users
DenyUsers admin Admin test root
and also:
# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
into my /etc/ssh/sshd_config on my Woody server.
I also have AllowUsers listing the only four usernames allowed to ssh in.
I will add thier ip address's to hosts.allow, I didnt think of that.
One question...
# Logging
SyslogFacility AUTH
LogLevel INFO
Despite trying to log in with a bad username or password, I cannot find a "failed login" attempt in any of my /var/log/*
files, what file is this logged to?
Is it possible to have ssh log all of its activity to /var/log/sssd.log?
This would be much easier for me.
Thanks for the great site btw :P
[ Parent | Reply to this comment ]