Security Best Practices
To secure the SSH daemon (sshd
), several best practices should be followed, such as restricting login permissions, disabling password authentication, integrating rate limiting, and enabling logging and monitoring of SSH connections. These practices help protect against unauthorized access and brute-force attacks.
Restricting Login Permissions
Controlling who can log in via SSH is crucial for reducing the attack surface. Restrictions can be applied through several options in the sshd_config
file.
PermitRootLogin: Disallowing root login minimizes the risk of direct privilege escalation attacks. Instead, users should log in with normal accounts and use
sudo
for administrative tasks:PermitRootLogin no
AllowUsers and AllowGroups: These options explicitly define which users or groups are allowed to access the system:
AllowUsers admin user1 AllowGroups sshusers
DenyUsers and DenyGroups: These options block specified users or groups from accessing the system:
DenyUsers baduser DenyGroups nogroup
Disabling Password Authentication
Password-based authentication is vulnerable to brute-force attacks. A more secure alternative is to use key-based authentication, which requires cryptographic keys instead of passwords.
- Disable Password Authentication: To ensure only SSH keys are used for login, disable password-based authentication:
PasswordAuthentication no
Rate Limiting and Fail2Ban Integration
Protecting against brute-force attacks is essential. Tools like Fail2Ban can be used to automatically block IP addresses after a specified number of failed login attempts. This adds an extra layer of protection to the system.
Installing Fail2Ban: On most Linux distributions, Fail2Ban can be installed through the package manager:
sudo apt install fail2ban
Configuring Fail2Ban: Enable the SSH jail in
/etc/fail2ban/jail.conf
to block IP addresses after multiple failed attempts:[sshd] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 5
Rate Limiting via sshd_config: The
MaxStartups
parameter can be used to limit the number of unauthenticated SSH connections. This reduces the risk of brute-force attacks:MaxStartups 10:30:60
Logging and Monitoring SSH Connections
Monitoring SSH logs is critical for detecting unauthorized access attempts. Enabling detailed logging helps in identifying anomalies in SSH activity.
Enable Logging: Set the
LogLevel
toVERBOSE
insshd_config
to record successful and failed login attempts:LogLevel VERBOSE
Review SSH Logs: SSH logs are typically stored in
/var/log/auth.log
(or/var/log/secure
on some systems). These logs should be regularly reviewed to detect suspicious activity:sudo tail -f /var/log/auth.log
Applying these security measures helps to safeguard SSH daemons against unauthorized access, brute-force attacks, and other security risks.