Having learned the hard way what it means to have a security leak in your system I went out to find tips on how to secure my SSH access a bit better. I had some good tips from readers, thank you who did, and found some good ones on the internet.
Securing SSH, I found out, is actually not that hard. There is a configuration file /etc/sshd_config which when tweaked can help a lot !
I will go through some of the options you’ll want to change if you want to use SSH:
Protocol
The default installation of OpenSSH allows both SSH version 1 and version 2 connections. Version 1 is known to suffer from security vulnerabilities, and it is strongly recommended that only version 2 be used. To disable version 1 connections use
Protocol 2
Disable root access
To disallow the root user to login, add/uncomment the line
PermitRootLogin no
Only allow specific users
By default, all users who have local accounts on the system are permitted to login through SSH. This is not necessary and only provides attackers with more possibilities for an attack. Users with permission to SSH to the systems should be clearly defined and SSH configured to only allow access to those users.
AllowUsers <usernames> DenyUsers <usernames>
- <usernames> is a list of usernames separated by spaces
- Usernames can contain * and ? as wildcards
- user@host format can be used; it specifies that the given user is allowed/denied only from the host specified
Passwords
To prevent users with no password (this should never be the case) access to the system add/uncomment this line:
PermitEmptyPasswords no
This are the simple ones, there are more elaborate schemes, that will secure your system a lot better. Hope you found it useful. I you know other options/settings that will help please leave a comment or post in the forums.
Other resources on SSH
- Check out these articles from 2004 at the O’Reilly MacDevCenter.
- MacGeekery: Basic OS X Security
- For general security tips check out the whitepapers from Corsaire
- No related posts
September 26th, 2006 at 6:45 pm
Hi Richard,
I think SSH considers first the config file /etc/sshd_config before it reads the /etc/ssh_config file. It does not overwrite the values already set in /etc/sshd_config with the values you set in /etc/ssh_config. Or I am wrong?
Cheers
Dani
November 4th, 2006 at 9:34 pm
Hi Richard,
I used some software called “Secure Shell Helper” (http://www.gideonsoftworks.com/sshhelper.html) to help secure my Mac mini. You can turn off password-based SSH logins entirely and generate the required public and private key files for installation on your server and any client computers you’d like to connect from. And the keys can be encrypted so that they require a separate pass-phrase to be used before a successful connection can be made. Using key files instead of the normal passwords should potentially protect you more from brute-force dictionary login attacks.
This setup would mean that you can’t connect to your server from just any computer (unless you carry and install the right key file from a flash drive), but if you do most of your administration from one or two laptops, I think it’s a good solution.
-Nate