Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. The two major versions of this protocol are referred to as SSH1 and SSH2. It is used primarily on Linux and Unix based systems to access shell accounts.  It was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, rendering them susceptible to packet analysis.
The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports;  it can transfer files using the associated SFTP or SCP protocols. ssh uses the client-server model and by default use the standard TCP port 22.

It is always recommended to change the default ssh port for security and also disable the direct root logins.  We will see how these changes can be done below. Also note that any change to the ssh configuration file will require the service restart to make the changes effective.

We will go through some basic security updates in this article, i.e port update, protocol update , disable direct root access and creating separate ssh user.

The ssh configuration file is located at /etc/ssh/sshd_config. To change the port open the config file and update the port , its recommended to select a port higher than 1024 which are normally scanned by port scanners applications.

//edit ssh config using vi or you favorite editor
# vi /etc/ssh/sshd_config

//search Port
# Port 22

//update this to your desired port value e.g.
# Port 2629

//For additional security you can update the config to only use ssh2 , search Protocol
# Protocol 2,1

//Update this setting to only use ssh2 as below
# Protocol 2

Now you can disable the direct root access using below steps.

//search for PermitRootLogin
#  PermitRootLogin yes

It is set to yes by default, update it to No


# PermitRootLogin No

Save the config and exit. Do not restart ssh yet.

Now we can add the additional ssh user which will directly login to the server.

//add user using below, you can naming you like
# adduser sshadmin

//set password for the user using below command :
#passwd sshadmin

To allow the user to be able to switch to root user using su command, it will need to be added to wheel group, this can be done using below steps :

//use vigr command
# vigr
// Search wheel in the group file and add sshadmin user there, it will look like this after addition
# wheel:x:10:root,sshadmin

The vigr command will automatically open the group file and group shadow file for editing for you one by one, add sshadmin to wheel group in both. Save both files after changes.

Now you are ready with your basic security hardening for ssh. Restart the ssh service using below command :

# service sshd restart
//or depending on your server
# /etc/init.d/sshd restart

And you are done.

Now you can ssh to the server using new user sshadmin and its password and using the new port you have set in the configuration. Once login you can use below command to switch to root user :

# su root

It will ask for root user password, providing which you will be login as root user. At both stages you can verify that with which privileges/user you are logged in using below command :

# whoami

Also make sure you open the related TCP port (i.e. the one you have used in the ssh config) in the firewall you are running on your server if any.

You can further tweak and harden the ssh security by measures like allowing access only from specific IPs, specific users or only through ssh keys etc. I will not go to those details in this article.

Tags: , , , , , , ,

2 Comments on How To : Secure SSH or Secure Shell

  1. abdussamad says:

    That’s great and all but for real security you want to disable password based logins entirely and use public key authentication instead:

    http://abdussamad.com/archives.....ccess.html

  2. thesadmin says:

    Well it depends on what kind of setup you have, there is nothing that can be defined as real or perfect security, you can tweak your environment according to your needs and make the system more secure by taking number of steps in which ssh is hardening is just one small part.

Leave a Reply to thesadmin Cancel reply