Having learned the hard way what it means to have a security leak in your system I went out to find tips on how to secure my SSH access a bit better. I had some good tips from readers, thank you who did, and found some good ones on the internet.
Securing SSH, I found out, is actually not that hard. There is a configuration file
/etc/sshd_config which when tweaked can help a lot !
I will go through some of the options you’ll want to change if you want to use SSH:
The default installation of OpenSSH allows both SSH version 1 and version 2 connections. Version 1 is known to suffer from security vulnerabilities, and it is strongly recommended that only version 2 be used. To disable version 1 connections use
Disable root access
To disallow the root user to login, add/uncomment the line
Only allow specific users
By default, all users who have local accounts on the system are permitted to login through SSH. This is not necessary and only provides attackers with more possibilities for an attack. Users with permission to SSH to the systems should be clearly defined and SSH configured to only allow access to those users.
AllowUsers <usernames> DenyUsers <usernames>
- <usernames> is a list of usernames separated by spaces
- Usernames can contain * and ? as wildcards
- user@host format can be used; it specifies that the given user is allowed/denied only from the host specified
To prevent users with no password (this should never be the case) access to the system add/uncomment this line:
This are the simple ones, there are more elaborate schemes, that will secure your system a lot better. Hope you found it useful. I you know other options/settings that will help please leave a comment or post in the forums.
Other resources on SSH
- Check out these articles from 2004 at the O’Reilly MacDevCenter.
- MacGeekery: Basic OS X Security
- For general security tips check out the whitepapers from Corsaire
- No related posts