Monday, February 25, 2008

Tightening SSHD security on Fedora Core

Here's few tips how to improve your SSHD security on your Fedora Core box. With these easy steps you can make sure no-one's gonna hack into your box.

1) Install fail2ban

Fail2ban is a script, that actively tracks the connections against sshd. If someone tries to scan your sshd using many different account names and passwords, fail2ban denies connections from that IP for 15 minutes.

You can install fail2ban easily with yum:
[root@machine ssh]# yum install -y fail2ban.noarch

You can start using fail2ban straight after installation is complete:

[root@machine ssh]# /etc/init.d/fail2ban start

The log file is found at /var/log. Fail2ban can also send email with information about banned IP-addresses.

2) Restricted ssh connections

You can allow ssh connections only for specified accounts.

Emacs your /etc/ssh/sshd_config and add following line:

AllowUsers username1 username2

You should allso make sure Root cannot access your ssh:

PermitRootLogin no


After this, restart your sshd.

3) Change your SSHD port

By default, SSHD is located at port 22. Many port scanners try to locate ssh servers running at that address. If you change your sshd to a high port (above 1024), you get rid of many port scanning attempts. For example, nmap cannot scan ports above 1024.

In sshd_config, change:

#Port 22 >> Port 1100

Restart your sshd.


4) Allow only specific hosts to connect using TCP wrappers

You should allow SSH connections to your machine only from wanted IP addresses. Anything else is unwanted, and possibly hazadrous. For this you can use two files: /etc/hosts.deny and /etc/hosts.allow

Hosts.deny controls which traffic you want to deny, and /etc/hosts.allow which traffic you want to allow.

Here's an example how to deny all ssh access. Simply type the following to your hosts.deny:

sshd: ALL

Now, after you restart your sshd, all sshd traffic is blocked.

If you want to have access from your IP-addresses 192.168.1.1 and some public address, simply type the following to your hosts.allow:

sshd: 192.168.1 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

If you want to allow all traffic from .se -domains, simply type this to your hosts.allow:

sshd: .se

This can be done allso with hosts.deny:

sshd : ALL EXCEPT .se

And if you want to block traffic from some countries but allow everything else, you can type this to hosts.allow

# Allow SSH (http://en.wikipedia.org/wiki/Country_code_top-level_domain)
sshd : ALL EXCEPT .br .cl .cn .hk .in .kr .mx .my .ro .ru .tw .ua

# Allow everything else
ALL : ALL

No comments: