Loading
Securing OpenSSH
A tutorial on the holistic approach to securing OpenSSH.
OpenSSH has a number of configuration options that can be employed to reduce risk. Most Linux distributions come with good middle-of-the-road settings. In some cases, these can be adjusted for better security. These include:
Logging: turn up the logging level to INFO or DEBUG. Examine your logs on a regular basis, or better yet, implement one of the many available log analysis tools to notify you of anomalies:
LogLevel INFO
Privilege separation: make sure the UsePrivilegeSeparation option is enabled:
UsePrivilegeSeparation yes
Protocol: limit OpenSSH to accept only protocol version 2:
Protocol 2
Root logins: prevent root logins using passwords. This limits root access only to nonpassword methods like public key authentication. If you never directly log in as root, set this to no. You always can log in as a regular user and su to root or use sudo. Setting this to without-password allows only nonpassword methods, such as public key authentication:
PermitRootLogin without-password
File permissions: make sure StrictModes is enabled to prevent the use of insecure home directory and key file permissions:
StrictModes yes
Reverse name checking: require OpenSSH to check proper reverse hostname lookups. Note that you must have proper name lookups working (that is, DNS or /etc/hosts):
VerifyReverseMapping yes
Prevent port forwarding: these two options prevent OpenSSH from setting up TCP port and X11 forwarding; if you do not need these features, disable them:
AllowTcpForwarding no X11Forwarding no
Disable all host-based authentication: always make sure these are disabled. These methods assume that the network can be trusted and allow .rhosts-style authentication based on hostname or IP. Never use these methods as primary authentication:
IgnoreRhosts yes HostbasedAuthentication no RhostsAuthentication no RhostsRSAAuthentication no
Using the above suggestions, you will be able to tighten access controls and eliminate sloppy trust relationships. As I mentioned earlier, staying current with updates or patches is critical to system security. In order to stay current, you need to be informed of when updates are released, so I suggest a multipronged approach. First, automate apt, yum or up2date to check nightly and report on missing updates. Second, subscribe to your Linux distribution's security mailing lists. Third, subscribe to one of the many security discussion groups, such as SecurityFocus. If you build OpenSSH from sources, join the OpenSSH mailing list to watch for updates.
System security requires a holistic approach. The methodologies provided in this article form the basis for securing OpenSSH, one small component of a modern complex Linux system.
After you believe you have secured your system, use scanning tools like the free Nessus Vulnerability Scanner (see Resources) and peer review from colleagues to check your work.
Resources for this article: /article/9023.
- « first
- ‹ previous
- 1
- 2
- 3
______________________
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Home, My Backup Data Center
- What's the tweeting protocol?
- Readers' Choice Awards
- New Products
- RSS Feeds
- Linux on Azure—a Strange Place to Find a Penguin
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
9 hours 4 min ago
11 hours 36 min ago
12 hours 54 min ago
13 hours 29 min ago
13 hours 51 min ago
18 hours 39 min ago
19 hours 26 min ago
21 hours 36 sec ago
22 hours 37 min ago
1 day 35 min ago