Friday, January 29, 2016

Secure SSH configuration

Many people use default configs, keys, moduli, etc. from their hosters or distributions which is not a good idea. So I created this guide to secure your SSH service. It's not directed to PHP performance, but helps you to improve the security of your servers.

What we do:

  • block all ports for incoming traffic
  • use knockd to open the SSH port only when it's needed
  • create secure keys and moduli
  • restrict key exchange protocols
  • restrict ciphers used to encrypt the data
  • restrict message authentication codes used to ensure integrity
  • restrict openssh to those features you really need
  • use keys files for client authentication

1. Block the SSH port using ufw

# block ALL ports for incoming traffic
ufw enable
ufw limit 22/tcp

More information about ufw and connection rate limiting can be found here.

2. Install knockd

apt-get install knockd
# vi /etc/knockd.conf
# open port 22 for a single IP when receiving the opening sequence
# and close it 5 seconds later

[options]
    UseSyslog

[openCloseSSH]
    sequence      = 5449:tcp,4158:tcp,5812:tcp,6947:udp
    seq_timeout   = 5
    tcpflags      = syn
    start_command = ufw allow from %IP% to any port 22
    cmd_timeout   = 10
    stop_command  = ufw delete allow from %IP% to any port 22

# Note: choose some random port numbers for the opening sequence
# vi /etc/default/knockd
# enable knockd daemon

START_KNOCKD=1
# start knockd daemon
/etc/init.d/knockd start

More information about knockd can be found here.

3. Secure your SSH config

This step takes a few more actions, I recommend to follow this guide:
https://stribika.github.io/2015/01/04/secure-secure-shell.html

Depending on your personal needs, you might also disable 128/192-bit ciphers "aes192-ctr", "aes128-ctr" and MACs "umac-128-etm@openssh.com", "umac-128@openssh.com". Using Tor hidden services is also up to your choice.

I also recommend these settings in sshd_config:

# vi /etc/ssh/sshd_config

LoginGraceTime 20
MaxAuthTries 1
AllowTcpForwarding no
X11Forwarding no

# disable sftp
# Subsystem sftp /usr/lib/openssh/sftp-server

More information about sshd_config can be found here.

4. Verify your configs

sshd -t
sshd -T
iptables -L
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key

5. Restart SSH service

/etc/init.d/ssh restart

6. Test SSH connection

# use random ports chosen for knockd.conf

knock <your-server-ip> 5449:tcp
knock <your-server-ip> 4158:tcp
knock <your-server-ip> 5812:tcp
knock <your-server-ip> 6947:udp

ssh -p 22 <your-user>@<your-server-ip>

# check /var/log/syslog to verify knockd functionality


Notes:

  • To change the SSH port 22 to another port, simply replace "22" in this guide and in your /etc/ssh/sshd_config
  • This guide is written for Ubuntu 15.10

3 comments:

Labels

performance (23) benchmark (6) MySQL (5) architecture (5) coding style (5) memory usage (5) HHVM (4) C++ (3) Java (3) Javascript (3) MVC (3) SQL (3) abstraction layer (3) framework (3) maintenance (3) Go (2) Golang (2) HTML5 (2) ORM (2) PDF (2) Slim (2) Symfony (2) Zend Framework (2) Zephir (2) firewall (2) log files (2) loops (2) quality (2) real-time (2) scrum (2) streaming (2) AOP (1) Apache (1) Arrays (1) C (1) DDoS (1) Deployment (1) DoS (1) Dropbox (1) HTML to PDF (1) HipHop (1) OCR (1) OOP (1) Objects (1) PDO (1) PHP extension (1) PhantomJS (1) SPL (1) SQLite (1) Server-Sent Events (1) Silex (1) Smarty (1) SplFixedArray (1) Unicode (1) V8 (1) analytics (1) annotations (1) apc (1) archiving (1) autoloading (1) awk (1) caching (1) code quality (1) column store (1) common mistakes (1) configuration (1) controller (1) decisions (1) design patterns (1) disk space (1) dynamic routing (1) file cache (1) garbage collector (1) good developer (1) html2pdf (1) internationalization (1) invoice (1) just-in-time compiler (1) kiss (1) knockd (1) legacy code (1) legacy systems (1) logtop (1) memcache (1) memcached (1) micro framework (1) ncat (1) node.js (1) openssh (1) pfff (1) php7 (1) phpng (1) procedure models (1) ramdisk (1) recursion (1) refactoring (1) references (1) regular expressions (1) search (1) security (1) sgrep (1) shm (1) sorting (1) spatch (1) ssh (1) strange behavior (1) swig (1) template engine (1) threads (1) translation (1) ubuntu (1) ufw (1) web server (1) whois (1)