Securing SSHD - Part II

The course is part of this learning path

Linux Security and Hardening
7
4
Start course
Overview
Difficulty
Intermediate
Duration
1h 7m
Students
100
Ratings
5/5
starstarstarstarstar
Description

In this course, you'll learn some techniques and strategies to secure network services. You'll also learn how the local firewall works in Linux and how to configure it. We'll talk about information leakage and ways to prevent it. Next, you'll learn how to test for open ports and perform port scans. You'll also learn about xinetd, what it does, and how to secure it. We'll also cover how to secure SSH. This course includes some guided demonstrations so that you can see the concepts being used in real-world environments.

Learning Objectives

  • Learn how to secure SSH
  • Understand the fundamentals of Linux firewall security, including configuring a firewall from the command line and setting up firewall rules
  • Learn how to use TCP wrappers to secure your Linux system

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.

Prerequisites

To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.

Transcript

Whenever possible, use the SSH2 version of the SSH protocol. It contains several improvements over SSHv1. Some of those improvements include a different set of improved and stronger algorithms for encryption and authentication. Use the protocol configuration directive in the SSHD config file followed by two to force version two of the SSH protocol. By default, SSH will listen on all addresses on the system. If you want to control what IP address SSHD binds to, use the listen address directive and specify the IP to listen on. If you want to listen on multiple IP addresses, use multiple listen address lines. You can use this in situations where you have a system that is connected to both a public and a private network. This way you can force SSH to only listen on the private network and reduce your attack surface. By default, SSH runs on port 22. If you want to change the default port, supply the new port number to the port directive in the sshd_config file. Changing the port that SSH listens on can reduce the number of unwanted connections. However, if an attacker is specifically targeting your system, it would be a rather simple task for them to do a complete port scan of your system and to find the port that SSH is now running on. If you do change the SSH port and you're using SELinux, you need to update the SELinux policy to include the new port. Run semanage port -a -t ssh_port_t -p tcp followed by the new port number. To check that the port was added, run semanage port -l and you can grep for ssh Avoid unnecessary information leakage. You can use the banner directive to display the contents of a file to a remote user before they are allowed to authenticate. Historically, that file has been /etc/issue.net. If you're using such a banner, try not to disclose any more information than you have to. I've seen some people put the distribution name and version, the kernel version and other random information that can be used by an attacker. If you have to use a banner per company policy, follow the policy, but keep in mind that anyone who attempts the connection will see that information. To disable the banner, set banner to none. It's important to note that any changes you make to the sshd_config file will not take effect until the SSHD process rereads the configuration. On a system that is using systemd, you would run systemctl reload sshd to force the configuration to be reloaded. In this video, you learned some ways to secure your SSH connection. This was by no means an exhaustive treatment, and you may have special considerations for your specific environment. Be sure to refer to the ssh, sshd and sshd_config man pages for more information.

About the Author
Avatar
Jason Cannon
Founder, Linux Training Academy
Students
3315
Courses
60
Learning Paths
7

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.