Up one level
SSH Security
Spencer Stirling

This is a serious issue. Just because you are running ssh does not mean that your server is secure. In fact, ssh is one of the most commonly-hacked interfaces out there. Don't think that your little server doesn't draw attention. These hacking scripts automatically work through lists of IP addresses (mine is attacked dozens of times per day).

Now everybody knows about script kiddies, so here are some tips for tightening your SSH server (obviously GOOD long passwords are your first line of defense. My passwords are screwy 12 to 16-letter strings of confusion).

Limit SU access
Here is a nice guide that has all sorts of security tightening advice:


For now my concern is allowing only certain users to "su" to become root. Even if you trust your other users, you cannot trust somebody who might hack one of your users' accounts. This is done through the "wheel" group. First (for these commands you must be root) add the wheel group by issuing the command

addgroup wheel
Next edit the "/etc/group" file and add your authorized users in a comma-separated list to the "wheel" group. For example the entry might look like this
Next add the following line to the PAM authentication file "/etc/pam.d/su"
    auth        requisite   pam_wheel.so group=wheel debug
Now only "john" and "fred" will be able to su.

Disallow root ssh'ing
Unfortunately you MUST disallow direct root ssh access into your machine. If you want to become root then you'll have to ssh as your regular user (which is authorized to "su" as above) and then you can su to become root. Yes, this is annoying. Also, you MUST have different passwords for your regular user and root. This just adds more lines of defense in between your root login and those little jerks out there.

In the file "/etc/ssh/sshd_config" you will see a line that reads

#PermitRootLogin yes
Uncomment it and change it like so:
PermitRootLogin no
You can go even further. If you only want to allow certain users to ssh into the machine AT ALL then you can add a line like the following into "/etc/ssh/sshd_config":
AllowUsers fred john steve

Last - but certainly not least - the program "fail2ban" comes to us straight from the gods. I wish that I had more time to describe this (because I use it for much more than monitoring ssh), but for simple off-the-shelf SSH protection just install the Debian package like this:

apt-get install fail2ban
This program monitors your log files in "/var/log" and checks for failed login attempts. After so many failed login attempts (say 3 in the past 10 minutes) a given IP is banned for a certain length of time (default is 10 minutes). Basically fail2ban adds firewall rules into your "iptables" configuration, and then removes them after 10 minutes.

This is EXTREMELY useful because most script kiddie programs will just move on once they are banned from the SSH port 22. I have watched the log files and seen it happen. I have never had a suspicious IP address come back and try again.

Unfortunately you will sometimes be banned from your own server (if you make too many login mistakes), but just wait 10 minutes and you will have access again.

If I have more time later then I will describe how to protect many other ports using fail2ban (like Apache, IMAP, POP, and many others).

This page has been visited   times since May 23, 2006