Beefing Up Security on Your SSH Server

Posted January 20, 2013 in sysadmin security

Lately I’ve been thinking about setting up a blog to talk about tech things I find interesting, particularly web security, since that’s how I spend a lot of my work and free time. Since I had an under-used VPS sitting around, I figured I ought to set up WordPress on it and start blogging. What better topic to blog about than how I’m securely setting up this website?

I’m going to start by talking about how to harden SSH. In later posts I’ll talk about how I set up Apache, install an SSL certificate and configure it for maximum security, and some WordPress security tricks. I’m using Debian, but it shouldn’t be hard to adapt this to any Linux distro. I’m assuming you have root access to your server.

Let’s start by making sure you can SSH into your server using public key authentication instead a password. Public key auth is much more secure for a number of reasons. Your crypto key is much larger than a password, making guessing it (just about) impossible. If you disable SSHing with passwords, the attacker is forced to attack your actual computer that has your key, as well as break the password protecting that key.

If HBGary Federal had disabled password auth and only allowed public key auth, maybe they wouldn’t have gotten owned so hard.

I’m assuming you’re using an operating system with bash, ssh, and a reasonable terminal program already installed (like Linux distros or OS X). The internet is full of advice on how to generate an SSH keypair in Windows, but I’m not the one to ask. The rest of this blog post should still be useful to you though.

If you already have an SSH key on your computer, you can skip this part. If you don’t, you need to create one. Open a terminal and type:

ssh-keygen

It will ask you where to save the key, defaulting to ~/.ssh/id_rsa. Press enter to leave the default. Then it will ask for a passphrase. I strongly suggest you use one. When this is done, two files should have been created, ~/.ssh/id_rsa (keep it secret, keep it safe) and ~/.ssh/id_rsa.pub (your SSH public key).

Here’s how SSH public key authentication works. You put your public key on your server, and you keep your secret key on your laptop. When you try SSHing as a specific user to your server, the SSH server will look in that user’s ~/.ssh/authorized_keys file to see if your public key is there. If your laptop has the associated secret key, it lets you in.

So let’s put your public key on the server. On your laptop, open a terminal and take a look at your public key.

cat ~/.ssh/id_rsa.pub

Here’s what mine looks like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDG4uNgF9LczaoWvKPILitruwq0Enut3+UtGPb/mKgL837HLN/zBqxN6dzFvzP9msdx36ut76jLHtRvoIpp3UKzke3358kLgmleAMnmh9YkhLcV9FmSUC7B+t3Vij8Ce6OUOWC+Ot6+Eyp9s7hiuN6ZJI7LLg5bvgArTonTuMYRvXvnbzFm6ldJRUGPQWKMajNi7JWafyzPg2LnIqPYMBlWgEJUMPE9j/7MPtrBw4Yik5P8MxrmwH7CizdC9rsGLUfmiQUGAYr8Lhiws4I3B5ijeKyAPmQm4QQSMfW1mmgQF1P8xTXN7EiMa8OHV6Jgk6hKwlyjx7Y7p/jTwK5dEAuX micah@spock

Take that entire string and copy it. SSH into your server and create a ~/.ssh folder, if it’s not already there.

mkdir ~/.ssh

Create an authorized_keys file. My text editor of choice is vim, but feel free to use nano or emacs or whatever.

vim ~/.ssh/authorized_keys

Now paste the entire public key into this file. If you want to allow multiple keys to SSH in as this user, just have a different public key per line of this file.

SSH forces you to do things securely, and fails to work if you’ve set permissions incorrectly. Let’s make sure no one but you has access to look at your SSH settings by changing permissions. On your server type:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

Now test to see if it works. Type exit and you should be back on your local computer. SSH back in. If everything worked, you should have a box pop up asking for your SSH key passphrase. Type it in, and you should be back at your server. Chances are your computer has ssh-agent running which caches your passphrase so you don’t have to type it in if you’ve recently unlocked your key. If public key auth isn’t working for you, try SSHing with the -v flag to troubleshoot.

If so far so good, let’s configure your SSH daemon. SSH into your Linux box and switch to root, either by running su and typing the root password, or running sudo -s and typing your user password. Edit your SSH daemon config file:

vim /etc/ssh/sshd_config

You can generally leave your distro’s defaults, but just make sure that these settings are set like so:

PermitRootLogin no
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

Now restart your SSH server:

service ssh restart

Your SSH server is now hardened. Oh, and don’t lose that SSH key, or the passphrase that protects it :).