How to secure SSH Server – best practices and features
Most commonly known as SSH, Secure Shell enables users or administrators to gain secure access to networks. Allowing admins to modify or control their servers remotely. SSH has several capabilities; it can be used to secure file transfers, establish secure remote connections to devices, users, or networks, and even automate secure connections with many more capabilities.
Some core features of SSH include:
– SSH layers: Comprise of the transport layer, user authentication layer, and the connectin layer. The transport layer handles encryption and decryption of the data that is being exchanged. It also authenticates the server establishing confidentiality. The authentication layer authenticates the client’s identity, and the connection layer manages channels where the data is exchanged.
– SSH Encryption: encrypts all traffic between the client and the server.
– Supports Tunneling and port forwarding: SSH supports local, remote, and dynamic port forwarding.
– X11: SSH enables X11 forwarding, enabling a GUI upon connection.
– SSHD: SSH supports SSH Daemon, which listens for connection and authentication requests and triggers connections.
Despite the additional features and capabilities of SSH, the security still revolves around the configuration of both the server and client-side. As with any weak or poor configuration, it can leave bypassable areas or vulnerabilities that attackers can exploit.
Here are three practices to help secure your SSH Server:
1. Change Default Settings – If you are using SSH on day-to-day business operations, you should always change your default settings. Upon creating your SSH server, the default port is 22. Changing the default port creates a challenge for any attacker trying to find the open ssh server port or scanning for known ports looking for any feedback. Additionally, changing your port can also limit brute force attacks. Another default element you would want to change is the root login. This is when you connect to a server via SSH as a root user by default. As most root or superadmins contain full access and control to the system and its resources, if an attacker could exploit your login, they would have total control. A good practice is to disable root login within your SSH config file: “PermitRootLogin” is set to “no.” Once root login is disabled, you can control user access with individual logins, resulting in a more straightforward audit process for tracking users. Another default option worth changing is password-based authentication. Stolen passwords are a significant cause of security breaches. Hence, it is in anyone’s favor to switch from password-based authentication to certificate-based authentication. Read more about certificate-based authentication.
2. Apply Bastion Host – A bastion host provides access to private networks, usually from external ones, designed to withstand and withhold attacks from external networks. It is often put in front of the firewall or the DMZ, equipped with high bandwidth for attacks. Some examples of a bastion host are proxy servers, honeypots, FTP servers, DNS servers, etc. Setting up a bastion host for your SSH connection is a good practice that bolsters your security and helps to protect your server and client channels.
3. Certificate Authentication – SSH certificates are a great security practice for authentication. They allow for public-key authentication and require certificate validity from each side by a trusted certificate authority. Because of that, they offer more security, and with additional settings such as a short life cycle and additional user information provide more secure authentication compared to passwords or other forms of authentication.
Though each organization differs in its infrastructure, tasks, and compliance requirements, not all practices may be applied. However, we encourage all organizations to follow best security practices and mitigate any poor configuration when securing their infrastructure. At Fudo Security, we encourage best security practices and promote the use of other authentication methods such as Two-factor OATH authentication via Google authenticator, Duo Security, or SSH public key authentication to scale to your infrastructure requirements.
Author: Damian Borkowski– Technical Marketing Specialist