Server Configuration
Configuring an SSH server for advanced use requires detailed knowledge of the sshd_config
file. The server can be customized to meet security and operational needs by managing user access, enforcing policies, and enabling port forwarding and tunneling.
Understanding sshd_config Parameters
The sshd_config
file is the primary control mechanism for SSH server behavior. Some critical parameters include:
Port: By default, SSH listens on port 22. Changing the port can reduce the visibility of the SSH service to automated attacks:
Port 2222
While not a substitute for stronger security measures, using a non-standard port may reduce the number of automated login attempts.
PermitRootLogin: Allowing direct root login increases the risk of privilege escalation attacks. It is recommended to disable root login:
PermitRootLogin no
Users should log in with a normal account and escalate privileges using
sudo
when necessary.PasswordAuthentication: Disabling password authentication reduces vulnerability to brute-force attacks. This forces users to rely on key-based authentication:
PasswordAuthentication no
AllowUsers and AllowGroups: These parameters define specific users or groups allowed to access the SSH server:
AllowUsers admin user1 AllowGroups sshusers
This ensures that only selected users or groups can authenticate and log in.
Limiting User Access and Enforcing Policies
Limiting access to trusted users and enforcing policies enhances security. Some key practices include:
Restricting User Access: As mentioned,
AllowUsers
andAllowGroups
restrict SSH access to defined users or groups, ensuring that only authorized personnel can log in.Account Lockout with Fail2Ban: Fail2Ban can be used to automatically block IP addresses after repeated failed login attempts. This prevents brute-force attempts from overwhelming the server.
Disabling Empty Passwords: The following configuration ensures that accounts with empty passwords cannot authenticate via SSH:
PermitEmptyPasswords no
Configuring Port Forwarding and Tunneling
SSH supports advanced tunneling features, enabling the secure forwarding of network traffic through an SSH connection. The main forms of port forwarding are:
Local Port Forwarding: Traffic from a local machine can be forwarded to a remote machine through an SSH tunnel. For example, to forward traffic from port 8080 on a local machine to port 80 on a remote server:
ssh -L 8080:localhost:80 user@remote_host
Remote Port Forwarding: Traffic from a remote machine can be tunneled back to a local machine, useful for securely accessing services on the local network from a remote host:
ssh -R 8080:localhost:80 user@remote_host
Dynamic Port Forwarding: A SOCKS proxy can be created for more flexible tunneling, allowing any traffic to be routed through the SSH connection:
ssh -D 8080 user@remote_host
Port forwarding provides a secure and convenient way to access network services, bypass firewalls, and secure traffic over an otherwise untrusted network.
Here is an explanation of all the options found in the default OpenBSD sshd_config
file, along with a table summarizing the purpose and default values of each option. I’ll also integrate this information into the Advanced SSH Server Configuration section, explaining where certain options are particularly relevant.
Default sshd_config
Options
The default OpenBSD sshd_config
file is structured to provide default settings for many common options, with most of them commented out. By default, these settings are left in their standard state, and uncommenting them overrides the default values. Below is a table explaining the options in this configuration file.
Table of Default Options
Option | Description | Default Value |
---|---|---|
Port | Specifies the port for SSH to listen on. | 22 |
AddressFamily | Specifies which IP version to use (any , inet for IPv4, or inet6 for IPv6). | any |
ListenAddress | Defines specific IP addresses for the SSH daemon to listen on. | 0.0.0.0 and :: |
HostKey | Specifies the location of the SSH host keys. | /etc/ssh/ssh_host_rsa_key (and others) |
RekeyLimit | Specifies how much data or time can pass before requiring a rekeying. | default none |
SyslogFacility | Specifies the logging facility for the SSH daemon. | AUTH |
LogLevel | Sets the verbosity of logging. | INFO |
LoginGraceTime | Specifies the time allowed for successful login before connection is dropped. | 2m (2 minutes) |
PermitRootLogin | Determines whether the root user can log in via SSH. | no |
StrictModes | Ensures permissions on files and directories are correct before login. | yes |
MaxAuthTries | Limits the number of authentication attempts allowed per connection. | 6 |
MaxSessions | Limits the number of open sessions permitted per network connection. | 10 |
PubkeyAuthentication | Enables public key authentication. | yes |
AuthorizedKeysFile | Specifies the file(s) containing public keys for users. | .ssh/authorized_keys |
PasswordAuthentication | Enables password-based authentication. | yes |
PermitEmptyPasswords | Allows users with empty passwords to log in via SSH. | no |
AllowAgentForwarding | Enables SSH agent forwarding. | yes |
AllowTcpForwarding | Enables TCP forwarding. | yes |
GatewayPorts | Controls whether remote hosts can connect to forwarded ports. | no |
X11Forwarding | Enables X11 forwarding. | no |
TCPKeepAlive | Sends keepalive messages to the client to ensure the connection is alive. | yes |
ClientAliveInterval | Sets the timeout interval for sending keepalive messages to clients. | 0 (disabled) |
ClientAliveCountMax | Limits the number of client alive messages sent without response. | 3 |
UseDNS | Enables DNS lookup to verify client hostnames. | no |
MaxStartups | Controls the number of concurrent unauthenticated connections. | 10:30:100 |
PermitTunnel | Enables tunneling network devices over SSH. | no |
ChrootDirectory | Specifies the directory to chroot users into after authentication. | none |
Subsystem | Defines SSH subsystems, such as SFTP. | sftp /usr/libexec/sftp-server |
Banner | Displays a custom banner message before authentication. | none |
By understanding and configuring the sshd_config
file, it is possible to create a secure and flexible SSH environment. Advanced server configurations such as port forwarding and tunneling offer additional layers of functionality while maintaining security.