Server Configuration

Configuring an SSH server for advanced use requires detailed knowledge of the sshd_config file. The server can be customized to meet security and operational needs by managing user access, enforcing policies, and enabling port forwarding and tunneling.

Understanding sshd_config Parameters

The sshd_config file is the primary control mechanism for SSH server behavior. Some critical parameters include:

  • Port: By default, SSH listens on port 22. Changing the port can reduce the visibility of the SSH service to automated attacks:

    Port 2222
    

    While not a substitute for stronger security measures, using a non-standard port may reduce the number of automated login attempts.

  • PermitRootLogin: Allowing direct root login increases the risk of privilege escalation attacks. It is recommended to disable root login:

    PermitRootLogin no
    

    Users should log in with a normal account and escalate privileges using sudo when necessary.

  • PasswordAuthentication: Disabling password authentication reduces vulnerability to brute-force attacks. This forces users to rely on key-based authentication:

    PasswordAuthentication no
    
  • AllowUsers and AllowGroups: These parameters define specific users or groups allowed to access the SSH server:

    AllowUsers admin user1
    AllowGroups sshusers
    

    This ensures that only selected users or groups can authenticate and log in.

Limiting User Access and Enforcing Policies

Limiting access to trusted users and enforcing policies enhances security. Some key practices include:

  • Restricting User Access: As mentioned, AllowUsers and AllowGroups restrict SSH access to defined users or groups, ensuring that only authorized personnel can log in.

  • Account Lockout with Fail2Ban: Fail2Ban can be used to automatically block IP addresses after repeated failed login attempts. This prevents brute-force attempts from overwhelming the server.

  • Disabling Empty Passwords: The following configuration ensures that accounts with empty passwords cannot authenticate via SSH:

    PermitEmptyPasswords no
    

Configuring Port Forwarding and Tunneling

SSH supports advanced tunneling features, enabling the secure forwarding of network traffic through an SSH connection. The main forms of port forwarding are:

  • Local Port Forwarding: Traffic from a local machine can be forwarded to a remote machine through an SSH tunnel. For example, to forward traffic from port 8080 on a local machine to port 80 on a remote server:

    ssh -L 8080:localhost:80 user@remote_host
    
  • Remote Port Forwarding: Traffic from a remote machine can be tunneled back to a local machine, useful for securely accessing services on the local network from a remote host:

    ssh -R 8080:localhost:80 user@remote_host
    
  • Dynamic Port Forwarding: A SOCKS proxy can be created for more flexible tunneling, allowing any traffic to be routed through the SSH connection:

    ssh -D 8080 user@remote_host
    

Port forwarding provides a secure and convenient way to access network services, bypass firewalls, and secure traffic over an otherwise untrusted network.

Here is an explanation of all the options found in the default OpenBSD sshd_config file, along with a table summarizing the purpose and default values of each option. I’ll also integrate this information into the Advanced SSH Server Configuration section, explaining where certain options are particularly relevant.

Default sshd_config Options

The default OpenBSD sshd_config file is structured to provide default settings for many common options, with most of them commented out. By default, these settings are left in their standard state, and uncommenting them overrides the default values. Below is a table explaining the options in this configuration file.

Table of Default Options

OptionDescriptionDefault Value
PortSpecifies the port for SSH to listen on.22
AddressFamilySpecifies which IP version to use (any, inet for IPv4, or inet6 for IPv6).any
ListenAddressDefines specific IP addresses for the SSH daemon to listen on.0.0.0.0 and ::
HostKeySpecifies the location of the SSH host keys./etc/ssh/ssh_host_rsa_key (and others)
RekeyLimitSpecifies how much data or time can pass before requiring a rekeying.default none
SyslogFacilitySpecifies the logging facility for the SSH daemon.AUTH
LogLevelSets the verbosity of logging.INFO
LoginGraceTimeSpecifies the time allowed for successful login before connection is dropped.2m (2 minutes)
PermitRootLoginDetermines whether the root user can log in via SSH.no
StrictModesEnsures permissions on files and directories are correct before login.yes
MaxAuthTriesLimits the number of authentication attempts allowed per connection.6
MaxSessionsLimits the number of open sessions permitted per network connection.10
PubkeyAuthenticationEnables public key authentication.yes
AuthorizedKeysFileSpecifies the file(s) containing public keys for users..ssh/authorized_keys
PasswordAuthenticationEnables password-based authentication.yes
PermitEmptyPasswordsAllows users with empty passwords to log in via SSH.no
AllowAgentForwardingEnables SSH agent forwarding.yes
AllowTcpForwardingEnables TCP forwarding.yes
GatewayPortsControls whether remote hosts can connect to forwarded ports.no
X11ForwardingEnables X11 forwarding.no
TCPKeepAliveSends keepalive messages to the client to ensure the connection is alive.yes
ClientAliveIntervalSets the timeout interval for sending keepalive messages to clients.0 (disabled)
ClientAliveCountMaxLimits the number of client alive messages sent without response.3
UseDNSEnables DNS lookup to verify client hostnames.no
MaxStartupsControls the number of concurrent unauthenticated connections.10:30:100
PermitTunnelEnables tunneling network devices over SSH.no
ChrootDirectorySpecifies the directory to chroot users into after authentication.none
SubsystemDefines SSH subsystems, such as SFTP.sftp /usr/libexec/sftp-server
BannerDisplays a custom banner message before authentication.none

By understanding and configuring the sshd_config file, it is possible to create a secure and flexible SSH environment. Advanced server configurations such as port forwarding and tunneling offer additional layers of functionality while maintaining security.