The following steps make use of the SSH daemon configuration file, /etc/ssh/sshd_config.
It is wise to bind SSH to listen only to particular interfaces, otherwise attackers could hammer the SSH port from multiple avenues. To do this, set the ListenAddress value to the IP address range(s) SSH should listen to, then restart the daemon (“Ssh: best practices,” 2008).
- ListenAddress 192.168.8.0
- /etc/init.d/sshd restart
To disrupt automated attacks that depend on SSH listening to the default port 22, change the default port. It is controlled by value Port (“Ssh: best practices,” 2008).
- Port 1337
Do not allow remote users to login as root. Root should already be administratively disabled but this would provide an extra layer of security. The PermitRootLogin value enables or disables root logins.
- PermitRootLogin no
Make use of TCP wrappers to further restrict what networks users are allowed to log in to the SSH service from (“Ssh: best practices,” 2008).
In /etc/hosts.deny, add the following line to deny all hosts unless explicitly permitted in the next step.
In /etc/hosts.allow, add the following line to permit the SSH daemon to accept connections from the local network.
Lastly, use DenyHosts to prohibit repeated access attempts and nullify all denial of service and dictionary attacks. CentOS does not have DenyHosts in its default software repository so a third-party repo must be added.
- rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
- yum install denyhosts
- chkconfig denyhosts –-level 2345 on
- It is important to set the runlevel for DenyHosts to 2345 as opposed to 345. SSHD runs in all four runlevels so DenyHosts should also run in these levels.
DenyHosts stores its configuration file in /etc/denyhosts.conf. This file should be edited to configure DenyHosts for maximum security. Some attributes worth checking are:
- PURGE_DENY = 4w
- Uncommenting this field will make it so that any host blocked by DenyHosts will have their ban lifted after four weeks. Removing the 4w would make it so that bans are never lifted but this can become an administrative hassle when it comes to unblocking legitimate traffic.
- BLOCK_SERVICE = sshd
- Blocks the sshd service if multiple failed login attempts are detected. It is possible to set this to ALL which would block all access to all services, but might be excessively harsh in most applications.
- DENY_THRESHOLD_INVALID = 5
- This attribute counts the number of failed login attempts for user accounts that don’t exist before banning the connecting host. It is a good idea to set this as a low value because it is indicative of someone guessing at usernames.
- DENY_THRESHOLD_VALID = 10
- This attribute looks at the number of failed login attempts for valid user accounts before banning the connecting host. This value should be reduced on systems requiring heightened security.
- DENY_THRESHOLD_ROOT = 1
This attribute’s value should remain low. Root is already disabled within SSH, so it is safe to assume anybody trying to log in as root cannot have pure intentions.