Security Best Practices

To secure the SSH daemon (sshd), several best practices should be followed, such as restricting login permissions, disabling password authentication, integrating rate limiting, and enabling logging and monitoring of SSH connections. These practices help protect against unauthorized access and brute-force attacks.

Restricting Login Permissions

Controlling who can log in via SSH is crucial for reducing the attack surface. Restrictions can be applied through several options in the sshd_config file.

  • PermitRootLogin: Disallowing root login minimizes the risk of direct privilege escalation attacks. Instead, users should log in with normal accounts and use sudo for administrative tasks:

    PermitRootLogin no
    
  • AllowUsers and AllowGroups: These options explicitly define which users or groups are allowed to access the system:

    AllowUsers admin user1
    AllowGroups sshusers
    
  • DenyUsers and DenyGroups: These options block specified users or groups from accessing the system:

    DenyUsers baduser
    DenyGroups nogroup
    

Disabling Password Authentication

Password-based authentication is vulnerable to brute-force attacks. A more secure alternative is to use key-based authentication, which requires cryptographic keys instead of passwords.

  • Disable Password Authentication: To ensure only SSH keys are used for login, disable password-based authentication:
    PasswordAuthentication no
    

Rate Limiting and Fail2Ban Integration

Protecting against brute-force attacks is essential. Tools like Fail2Ban can be used to automatically block IP addresses after a specified number of failed login attempts. This adds an extra layer of protection to the system.

  • Installing Fail2Ban: On most Linux distributions, Fail2Ban can be installed through the package manager:

    sudo apt install fail2ban
    
  • Configuring Fail2Ban: Enable the SSH jail in /etc/fail2ban/jail.conf to block IP addresses after multiple failed attempts:

    [sshd]
    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 5
    
  • Rate Limiting via sshd_config: The MaxStartups parameter can be used to limit the number of unauthenticated SSH connections. This reduces the risk of brute-force attacks:

    MaxStartups 10:30:60
    

Logging and Monitoring SSH Connections

Monitoring SSH logs is critical for detecting unauthorized access attempts. Enabling detailed logging helps in identifying anomalies in SSH activity.

  • Enable Logging: Set the LogLevel to VERBOSE in sshd_config to record successful and failed login attempts:

    LogLevel VERBOSE
    
  • Review SSH Logs: SSH logs are typically stored in /var/log/auth.log (or /var/log/secure on some systems). These logs should be regularly reviewed to detect suspicious activity:

    sudo tail -f /var/log/auth.log
    

Applying these security measures helps to safeguard SSH daemons against unauthorized access, brute-force attacks, and other security risks.