{"id":756,"date":"2014-02-04T15:49:54","date_gmt":"2014-02-04T20:49:54","guid":{"rendered":"http:\/\/www.gtcomm.net\/blog\/?p=756"},"modified":"2017-04-19T15:57:07","modified_gmt":"2017-04-19T19:57:07","slug":"securing-a-linux-server-hardening-ssh-security","status":"publish","type":"post","link":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/","title":{"rendered":"Securing a linux server : hardening SSH &#8211; Intermediate"},"content":{"rendered":"<p>Long ago there was Telnet, an unsecure, text based remote shell protocol that allowed to connect to \u00a0remote servers. However, being clear-text based, anyone on the line was able to either sniff packet or do man in the middle attack and get the data being carried between the client and the server. The Secure Shell (SSH) was created to fix these flaws as the web was becoming a dangerous place to live. However, even if SSH is inherently more secure, a misconfigured SSH service constitutes a security hole in your server&#8217;s defence.<\/p>\n<p>Here are some tips you should follow.<\/p>\n<p><!--more--><\/p>\n<h2>Don&#8217;t allow root login<b><\/b><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-763\" src=\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/disallow-root-user.jpg\" alt=\"disallow root user\" width=\"197\" height=\"197\" \/><\/p>\n<p id=\"docs-internal-guid-101f76fc-fdc0-975c-abfd-f8d8177ad0d5\" dir=\"ltr\">This is one thing that is often repeated but even the most hardy sysadmin often forget : One should never log in directly as root. If your root user can be used to log in, its password can be brute forced. As root cannot be renamed, every Linux system (and many other operating systems) has a user named root. As such, it is an easy target for bots and hackers scanning IP addresses in search for poorly secured systems.<\/p>\n<p dir=\"ltr\">To disable root login from remote, ensure that the PermitRootLogin is set to &#8220;no&#8221; in the \/etc\/ssh\/sshd_config configuration file.<\/p>\n<h2>Root account password &amp; sudo<\/h2>\n<p>Disabling root login doesn&#8217;t prevent one from gaining root privileges using either su or sudo. Su leaves little other than the stock <a href=\"http:\/\/www.cyberciti.biz\/faq\/rhel-fedora-centos-linux-password-quality-control\/\" target=\"_blank\">PAM policies <\/a>to protect the root account. sudo on the other hand, is configurable and lets you restrict sudoer using groups and the commands that can be run using it.<\/p>\n<p>Both approaches are totally viable and are hugely debated in the community. Sudo for example will give you the ability\u00a0to let various users restart apache (which can be pretty useful if your apache process have instability problems).<\/p>\n<p>You will find more about sudo in its manual (man sudoers), and its configuration file is pretty self-explicit (\/etc\/sudoers).<\/p>\n<h2>Fail2ban<b><\/b><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-full wp-image-773\" src=\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/fail2ban-official-logo.png\" alt=\"fail2ban-official-logo\" width=\"230\" height=\"165\" \/>A quick and easy way to prevent brute force attack and denial-of-service attack, is to use <a href=\"http:\/\/www.fail2ban.org\/wiki\/index.php\/Main_Page\" target=\"_blank\">Fail2Ban<\/a>. Fail2Ban is a log watcher daemon which monitor for repetitive failure and then block the source IP using iptables. Most distributions bundles Fail2Ban with support for SSH already built-in, and it\u2019s a matter of uncommenting the SSH part of the Fail2Ban configuration to enable it. I highly suggest you to visit the Fail2Ban Website and to dig in their how-to section. It is a powerful tool that can help you mitigate DoS attack on a lot of others services (like HTTP and FTP).<\/p>\n<h2>Restrict login only to SSH group member<\/h2>\n<p>Restricting who can connect to SSH will allow you to prevent unwanted or untrusted users of logging in. You should always enable this, even if all your users are remote ones. This will limit system accounts used by daemons, to be used to connect if they ever get hijacked.<\/p>\n<p>Using the AllowGroups setting in the \/etc\/ssh\/sshd_config configuration file, you can set what group can log in.<\/p>\n<h2>Disable password login<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-769\" src=\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/disable-login-root-sshd_config.png\" alt=\"disable-login-root-sshd_config\" width=\"533\" height=\"298\" \/><\/p>\n<p id=\"docs-internal-guid-101f76fc-fdbf-80fa-6a47-17fa99a81fa2\" dir=\"ltr\">Passwords are the weakest part of the modern authentication scheme. If you have no requirements for password-based authentication, then use certificate-based authentication. It will prevent all kind of headache, like users locking themselves out by forgetting their password. However, you should remind your users that they are responsible of their certificate and have to keep them secure. Before doing this however, be sure to successfully authenticate using a certificate. You can follow <a href=\"http:\/\/wiki.centos.org\/HowTos\/Network\/SecuringSSH#head-9c5717fe7f9bb26332c9d67571200f8c1e4324bc\">this CentOS guide to do so<\/a>.<\/p>\n<p dir=\"ltr\">To disable password authentication, change the PasswordAuthentication value to no in the \/etc\/ssh\/sshd_config configuration file.<\/p>\n<h2>Minimal password complexity policy<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-771\" src=\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/PAM-policy-schema.jpg\" alt=\"PAM policy schema\" width=\"549\" height=\"329\" \/><\/p>\n<p>Sometime, passwords are required. In that case, you should protect yourself from brute force attack. Most brute force attacks are dictionary-based and will usually focus on shorter, less complex passwords comprised of alpha-numeric characters. Unless you prevent your users from changing their password, you will have to implement PAM policies. PAM is highly configurable, but depends on your distribution. If you intend to change your PAM configuration, I\u2019d refer to your distribution manual <a href=\"http:\/\/www.centos.org\/docs\/5\/html\/Deployment_Guide-en-US\/ch-pam.html\" target=\"_blank\">( Here&#8217;s one for CentOS )<\/a>. Ensure you have a way to recover your system in case you mess-up the PAM configurations files, as these modifications could lead to your system being unable to authenticate you.<\/p>\n<h2><\/h2>\n<h2>Chroot user<b><\/b><\/h2>\n<p>As per Wikipedia, Chrooting &#8220;is an operation that changes the apparent root directory for the current running process and its children&#8221;. Doing so, the subprocess jails the user into that part of the file system. If a user account ever gets compromised, the attacker wont be able to access more than what the user was granted to.<\/p>\n<p>Implementing a chroot is very specific to your environment and must be tailored to your need. I strongly advise you against following blindly a how-to but to instead invest into reading them and understanding the basics behind.<\/p>\n<h2>Closing<b><\/b><\/h2>\n<p>As you can see, security requires a lot of meticulous and detailed work. Turing a blind eye to small details can lead to server security holes. As such, knowledge is the best tool to keep your system secure. Know how to use your software and how to secure them correctly. Tighten and tune the bolt bit by bit. After a while you\u2019ll be able to secure a system tightly and the small changes will become part of your daily habits.<\/p>\n<p><span id=\"hs-cta-wrapper-d1e498b5-a8c7-477d-9d24-4c9f2e907645\" class=\"hs-cta-wrapper\"><span id=\"hs-cta-d1e498b5-a8c7-477d-9d24-4c9f2e907645\" class=\"hs-cta-node hs-cta-d1e498b5-a8c7-477d-9d24-4c9f2e907645\"> <\/span><\/span><br \/>\n<!-- end HubSpot Call-to-Action Code --><\/p>\n<!-- AddThis Advanced Settings generic via filter on the_content --><!-- AddThis Share Buttons generic via filter on the_content -->","protected":false},"excerpt":{"rendered":"<p>Long ago there was Telnet, an unsecure, text based remote shell protocol that allowed to connect to \u00a0remote servers. However, being clear-text based, anyone on the line was able to either sniff packet or do man in the middle attack and get the data being carried between the client and the server. The Secure Shell<!-- AddThis Advanced Settings generic via filter on get_the_excerpt --><!-- AddThis Share Buttons generic via filter on get_the_excerpt --><\/p>\n","protected":false},"author":4,"featured_media":778,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[10,11,13,8],"class_list":["post-756","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-dedicated-server","tag-high-availability-hosting","tag-security","tag-web-hosting","operating_system-centos-7"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Securing a linux server: hardening SSH - Globotech Communications Blog<\/title>\n<meta name=\"description\" content=\"If SSH is misused,it can represent a security hole in your server&#039;s defence.Here are some tips you should follow in order to reduce the risks\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing a linux server: hardening SSH - Globotech Communications Blog\" \/>\n<meta property=\"og:description\" content=\"If SSH is misused,it can represent a security hole in your server&#039;s defence.Here are some tips you should follow in order to reduce the risks\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Globo.Tech\" \/>\n<meta property=\"article:published_time\" content=\"2014-02-04T20:49:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-04-19T19:57:07+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Eric Simard\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Eric Simard\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/\",\"url\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/\",\"name\":\"Securing a linux server: hardening SSH - Globotech Communications Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.globo.tech\/learning-center\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg\",\"datePublished\":\"2014-02-04T20:49:54+00:00\",\"dateModified\":\"2017-04-19T19:57:07+00:00\",\"author\":{\"@id\":\"https:\/\/www.globo.tech\/learning-center\/#\/schema\/person\/2202ee355cd2897b4751d2f3ffcd56f1\"},\"description\":\"If SSH is misused,it can represent a security hole in your server's defence.Here are some tips you should follow in order to reduce the risks\",\"breadcrumb\":{\"@id\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#primaryimage\",\"url\":\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg\",\"contentUrl\":\"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg\",\"width\":500,\"height\":300,\"caption\":\"securing-a-linux-server-hardening-ssh\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.globo.tech\/learning-center\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing a linux server : hardening SSH &#8211; Intermediate\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.globo.tech\/learning-center\/#website\",\"url\":\"https:\/\/www.globo.tech\/learning-center\/\",\"name\":\"Globo.Tech\",\"description\":\"Welcome to the Official Globo.Tech Learning Center\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.globo.tech\/learning-center\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.globo.tech\/learning-center\/#\/schema\/person\/2202ee355cd2897b4751d2f3ffcd56f1\",\"name\":\"Eric Simard\",\"description\":\"I am Eric Simard, best father in the world and account manager at GloboTech Communications located in the beautiful city of Montreal. Passionate about the hosting world and technologies, I take great pleasure in offering the best solutions for my clients. Follow me through my journey in the exciting hosting world on my different blogs!\",\"sameAs\":[\"http:\/\/www.gtcomm.net\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Securing a linux server: hardening SSH - Globotech Communications Blog","description":"If SSH is misused,it can represent a security hole in your server's defence.Here are some tips you should follow in order to reduce the risks","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/","og_locale":"en_US","og_type":"article","og_title":"Securing a linux server: hardening SSH - Globotech Communications Blog","og_description":"If SSH is misused,it can represent a security hole in your server's defence.Here are some tips you should follow in order to reduce the risks","og_url":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/","og_site_name":"Globo.Tech","article_published_time":"2014-02-04T20:49:54+00:00","article_modified_time":"2017-04-19T19:57:07+00:00","og_image":[{"width":500,"height":300,"url":"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg","type":"image\/jpeg"}],"author":"Eric Simard","twitter_misc":{"Written by":"Eric Simard","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/","url":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/","name":"Securing a linux server: hardening SSH - Globotech Communications Blog","isPartOf":{"@id":"https:\/\/www.globo.tech\/learning-center\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#primaryimage"},"image":{"@id":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg","datePublished":"2014-02-04T20:49:54+00:00","dateModified":"2017-04-19T19:57:07+00:00","author":{"@id":"https:\/\/www.globo.tech\/learning-center\/#\/schema\/person\/2202ee355cd2897b4751d2f3ffcd56f1"},"description":"If SSH is misused,it can represent a security hole in your server's defence.Here are some tips you should follow in order to reduce the risks","breadcrumb":{"@id":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#primaryimage","url":"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg","contentUrl":"https:\/\/www.globo.tech\/learning-center\/wp-content\/uploads\/2014\/02\/securing-a-linux-server-hardening-ssh.jpg","width":500,"height":300,"caption":"securing-a-linux-server-hardening-ssh"},{"@type":"BreadcrumbList","@id":"https:\/\/www.globo.tech\/learning-center\/securing-a-linux-server-hardening-ssh-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.globo.tech\/learning-center\/"},{"@type":"ListItem","position":2,"name":"Securing a linux server : hardening SSH &#8211; Intermediate"}]},{"@type":"WebSite","@id":"https:\/\/www.globo.tech\/learning-center\/#website","url":"https:\/\/www.globo.tech\/learning-center\/","name":"Globo.Tech","description":"Welcome to the Official Globo.Tech Learning Center","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.globo.tech\/learning-center\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.globo.tech\/learning-center\/#\/schema\/person\/2202ee355cd2897b4751d2f3ffcd56f1","name":"Eric Simard","description":"I am Eric Simard, best father in the world and account manager at GloboTech Communications located in the beautiful city of Montreal. Passionate about the hosting world and technologies, I take great pleasure in offering the best solutions for my clients. Follow me through my journey in the exciting hosting world on my different blogs!","sameAs":["http:\/\/www.gtcomm.net"]}]}},"_links":{"self":[{"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/posts\/756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/comments?post=756"}],"version-history":[{"count":22,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/posts\/756\/revisions"}],"predecessor-version":[{"id":2613,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/posts\/756\/revisions\/2613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/media\/778"}],"wp:attachment":[{"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/media?parent=756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/categories?post=756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.globo.tech\/learning-center\/wp-json\/wp\/v2\/tags?post=756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}