pig-monkey.com - sshhttps://pig-monkey.com/2012-12-22T00:00:00-08:00Thoughts on SSH Security2008-10-03T00:00:00-07:002012-12-22T00:00:00-08:00Pig Monkeytag:pig-monkey.com,2008-10-03:/2008/10/thoughts-on-ssh-security/<p><a href="http://www.openssh.com/">OpenSSH</a> has a history of security. Only rarely are holes found in the actual program. It’s much more likely that a system will be compromised through poor configuration of the SSH daemon. Ideally, an SSH config would allow only protocol 2 connections, allow only specified users to connect (and …</p><p><a href="http://www.openssh.com/">OpenSSH</a> has a history of security. Only rarely are holes found in the actual program. It’s much more likely that a system will be compromised through poor configuration of the SSH daemon. Ideally, an SSH config would allow only protocol 2 connections, allow only specified users to connect (and certainly not root), disable X11 forwarding, disable password authentication (forcing ssh keys instead), and allowing connections only from specified IPs. These config options would look like this:</p>
<div class="highlight"><pre><span></span><code>Protocol 2
PermitRootLogin no
AllowUsers demo
X11Forwarding no
PasswordAuthentication no
</code></pre></div>
<p>Allowing connections from only specified IP addresses would be accomplished by adding something like the following to <code>/etc/hosts.deny</code>:</p>
<div class="highlight"><pre><span></span><code><span class="n">sshd</span><span class="o">:</span><span class="w"> </span><span class="n">ALL</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Deny</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="k">default</span><span class="w"></span>
<span class="n">sshd</span><span class="o">:</span><span class="w"> </span><span class="mf">192.168</span><span class="o">.</span><span class="mf">1.0</span><span class="o">/</span><span class="mf">255.255</span><span class="o">.</span><span class="mf">255.0</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Allow</span><span class="w"> </span><span class="k">this</span><span class="w"> </span><span class="n">subnet</span><span class="w"></span>
<span class="n">sshd</span><span class="o">:</span><span class="w"> </span><span class="mf">4.2</span><span class="o">.</span><span class="mf">2.1</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="n">Allow</span><span class="w"> </span><span class="k">this</span><span class="w"> </span><span class="n">IP</span><span class="w"></span>
</code></pre></div>
<p>(You could also accomplish this with iptables, but I think editing the above file is simpler.)</p>
<p>But the last two options – disabling password auth and allowing only certain IP addresses – limits mobility. I constantly login to my <a href="http://pig-monkey.com/2008/06/09/a-move-to-slicehost/">slice</a> from multiple IPs, and I also need to login during travel when I may or may not have my key on me.</p>
<p>The main thing these two options protect against is a brute force attack. By allowing password logins from any IP, we give the attacker the ability to exploit the weakest part of SSH. This is where <a href="http://denyhosts.sourceforge.net/">DenyHosts</a> comes in.</p>
<p>DenyHosts is a python script which attempts to recognize and block brute force attacks. It has many attractive <a href="http://denyhosts.sourceforge.net/features.html">features</a> and is included in the default Ubuntu repositories.</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><code>$ sudo aptitude install denyhosts
</code></pre></div></td></tr></table></div>
<p>The config file is located at <code>/etc/denyhosts.conf</code>. It is very simply and readable. I recommend reading through it, but most of the default options are acceptable. If any changes are made, the daemon must be restarted:</p>
<div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><code>$ sudo /etc/init.d/denyhosts restart
</code></pre></div></td></tr></table></div>
<h2>Default Ports</h2>
<p>Many people also advocating changing SSH’s default port to something other than 22 (more specifically, something over 1024, which won’t be scanned by default by <a href="http://nmap.org/">nmap</a>). The argument in support of this is that many automated attack scripts look for SSH only on port 22. By changing the port, you save yourself the headache of dealing with script kiddies. Opponents to changing the port would argue that the annoyance of having to specify the port number whenever using <code>ssh</code> or <code>scp</code> outweighs the minute security benefits. It’s a heated argument. I lean toward leaving SSH on the default port.</p>