Thursday 8 August 2013

Securing your SSH server against brute force password attacks

If you run an SSH server open to the whole internet you'll soon notice many attempts to break into your system using random username and password combinations. This 'noise' in the log files is annoying and might mean you miss an important message. If you are unlucky or use a common username and password your system might be compromised by one of these brute force attacks.

One method to drastically reduce the number of cracking attempts is to restrict access to the SSH server by IP address. This can done be done either by editing the SSH config file or by using configuring iptables. However this method requires valid users to have static IP addresses, something which most home users don't have. In many cases public key authentication is a better choice.

Use public key authentication

A better method to stop attackers from using random username and passwords is to switch off password authentication entirely and require public key authentication instead. Attackers will not be able to try random username/password combinations and will not create 'noise' in the log files. Valid users will still be able to connect.

To describe how this can be set up assume we wish to protect a computer with a static IP address called server. We wish to access it from another system called laptop, (which may be using a dynamic IP address). The account on server that we will access is dave. We'll assume that the SSH configuration file is /etc/ssh/sshd_config. Adjust these names to suit your setup.

Firstly, on laptop create a public/private key pair.
ssh-keygen -t dsa

A passphrase is not required although it is a good idea. On server make sure a ~/.ssh directory exists with the correct permissions:
mkdir ~dave/.ssh
chmod go= ~dave/.ssh

Using your favourite editor (emacs of course) paste the contents of the public key into the ~dave/.ssh/authorized_keys file on server. Putty users may find the instructions at http://www.howtoforge.com/ssh_key_based_logins_putty helpful. Check that you can log into server without requiring your password. If you are going to configure server remotely ensure you can log in without needing your password, otherwise you will lock yourself out! If you set a passphrase you will need to type that.

Configure the server

The key requirement for the server configuration is that by default password authentication is turned off. Find the line in /etc/ssh/sshd_config which sets password authentication. Make sure it is set to
PasswordAuthentication no
If necessary remove any leading # character. Whilst editting /etc/ssh/sshd_config its a good idea to disable empty passwords and root logins, ensure the following lines are set
PermitEmptyPasswords no
PermitRootLogin no
If you need empty passwords or root logins from specific hosts this can be overridden later.


Enable password authentication for trusted hosts

Once password authentication is disabled users on a multi-user system will have a problems copying their keys to grant them access! Exceptions can be made for trusted static IP addresses so that users can copy their public key. Assume we trust all IP addresses in the subnet 192.168.1.0/24. Passwords can then be enabled by simply adding the following lines to the end of /etc/ssh/sshd_config
Match Address 192.168.1.0/24
PasswordAuthentication yes

Enable root logins

Suppose a root login using password authentication is required for one host only (192.168.1.123). Add the following lines to /etc/ssh/sshd_config
Match Address 192.168.1.123
PasswordAuthentication yes
PermitRootLogin yes

Summary

These simple steps keep your SSH server accessible from everywhere but greatly reduce the likelihood of a successful brute force attack. The Match keyword requires openssh version 4.4 or later.