These days ssh login can be considered the de facto method for connecting to remote servers. It is reliable and secure but if it is configured improperly, it can be more of a liability than an asset. In this recipe will change a couple of parameters to secure ssh and we will set up passwordless connections using public keys.
All the steps from this recipe will be performed on nodeorcl1 as the root user. The remote logins will be performed from nodeorcl5.
All parameters that will be modified are located in the /etc/sshd_config configuration file.
Change the default port 22. Most port scanners will identify automatically port 22 with the
sshservice. Therefore it will be a good idea to change the defaultsshport:Port 13120Disable root logins:
PermitRootLogin nosshwill check for proper permissions in the user's home. Use strict mode:StrictModes yesSuppress all host-based authentications. Usually these methods should be avoided as primary authentication:
HostbasedAuthentication noThis parameter is very effective against DoS type attacks. Limit the maximum number of unauthenticated connections and connection attempts:
MaxStartups 10:50:10Allow just users that belong to a defined group to log in:
AllowGroups logingrpTo make the changes effective, restart the
sshdservice:[root@nodeorcl1 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
After restart, the
sshddaemon will listen on port 13120:[root@nodeorcl1 ~]# lsof -i -n | grep sshd sshd 14089 root 3u IPv6 55380 TCP *:13120 (LISTEN) [root@nodeorcl1 ~]#
Try to connect from
nodeorcl5tonodeorcl1as root. Direct root log ins will be denied:[loguser1@nodeorcl5 ~]$ ssh -l root -p 13120 nodeorcl1 root@nodeorcl1's password: Permission denied, please try again. Permission denied (publickey,gssapi-with-mic).
After any change of configuration parameters, a daemon restart is needed. You can perform the restart in different ways, such as restarting the service or by sending a HUP (kill -1) signal to the sshd daemon process.
Using key authentication instead of using passwords is probably one of the securest methods of authentication. This will suppress definitively any brute force attempt using passwords.
Open the
/etc/ssh/sshd_configfile and disable password authentication by modifying the following parameter:PasswordAuthentication noEnable key authentication:
RSAAuthentication yes PubkeyAuthentication yes
On the client machine
nodeorcl5as the userloginuser1, create a passphase protected public/private key:[loginuser1@nodeorcl5 ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/loginuser1/.ssh/id_rsa): Created directory '/home/loginuser1/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/loginuser1/.ssh/id_rsa. Your public key has been saved in /home/loginuser1/.ssh/id_rsa.pub. The key fingerprint is: 1b:a2:9f:d5:e8:77:08:1c:b5:6a:6a:29:3e:53:46:a5 loginuser1@nodeorcl5 The key's randomart image is: +--[ RSA 2048]----+ | | | . . | | o . . | | E . . | | ...So | | .o.== | | .o ++... | | +.++ o . | | ..=o .. . | +-----------------+
Now deploy the key on
nodeorcl1as follows:[loginuser1@nodeorcl5 ~]$ ssh-copy-id '–p 13120 -i .ssh/id_rsa.pub loguser1@nodeorcl1' The authenticity of host 'nodeorcl1 (10.241.132.218)' can't be established. RSA key fingerprint is 34:39:af:94:9a:2e:4b:f8:37:9c:af:27:67:1c:74:2b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'nodeorcl1,10.241.132.218' (RSA) to the list of known hosts. loguser1@nodeorcl1's password: Now try logging into the machine, with "ssh 'loguser1@nodeorcl1'", and check in: .ssh/authorized_keys To make sure we haven't added extra keys that you weren't expecting.
Log in to
nodeorcl1; you must type the passphrase entered during key creation:loguser1@nodeorcl2:~> ssh loguser1@nodeorcl1 Enter passphrase for key '/home/loguser1/.ssh/id_rsa': [loguser1@nodeorcl1 ~]$
Restart the
sshdservice as follows:[root@nodeorcl1 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]