Although we have been talking about the use of the SSH protocol being completely safe, this does not mean that it is oblivious to suffer some kind of attack that puts our information at risk. For this reason, users have the option to modify the default configuration of this protocol to make it even more secure, such as changing the default port or the maximum number of retries to connect to the server. Let's see how we can improve the security of our SSH.
First, we need to locate the configuration file, sshd_config. This file is usually in the /etc/ssh path.
The following configuration could be the default content of the file:
Port 22
Protocol 2
LoginGraceTime 30
PermitRootLogin no
MaxAuthTries 2
MaxStartups 3
These are the parameters we can modify in this file configuration:
- Change the default port: By default, SSH uses port 22, so when a hacker launches an attack, it usually does so on this port. If we change the port number, the service will not respond to the port by default, and we will have created a new obstacle for anyone trying to get our information. To make this happen, just change the value of the port field in the configuration file to the value you want.
- Disable root access: Every server is assigned a root user, which has privileges to do any kind of action on the machine. A good practice to improve security is to prevent access to the server through this root user and force access through any of the users we have created who do not have root privilege. Once logged in with our user, we can become a root user through the sudo command. To prevent access by the root user, we must set the PermitRootLogin variable to no.
- Limit the number of retries: By means of the MaxAuthTries variable, we can indicate the number of times that we can make a mistake when entering the username or password. Once the number that we have indicated is exceeded, the connection will be lost and the connection process will have to start again. With this, we will avoid attacks of persistence of the connection. If we want to enable a maximum of five attempts, we would have to indicate it in the following way: MaxAuthTries 5.
- Limit the number of login screens: We can limit the number of simultaneous login windows that we can have active from the same IP in order to avoid divided attacks. Once the user is logged in, it will not be possible to have a higher number of SSH terminals open than indicated in this variable. If we just want a single login screen over the IP, we should do it in the following way: MaxStartups 1.
- Limit the time that the login screen will be available: Through the LoginGraceTime instruction, we indicate the time in seconds that the login screen will be available to enter our credentials. After that time, the screen will disappear and you will have to start the process again. With this, we prevent the use of a script to access the system. If we want to put a duration of 15 seconds, we would do it in the following way: LoginGraceTiem 15.
- Indicate the users that can access via SSH: By means of the AllowUser directive, we can indicate the users that will be able to access the server via SSH, as well as from what IP address they will be able to do so. Let's see some examples of how to indicate it:
- Indicate only the name of the users who will have access: Using AllowUser user1 user2, we are indicating that only users user1 and user2 will have access to the system via SSH, regardless of the computer and the IP address from which they are connected.
- Access of a user from a certain IP address: Using AllowUser user@<ip_address>, we can indicate that the user user can access the machine via SSH, but only from the IP address that we specify.
- Access of a user from a given network indicated: Using AllowUser user@<network_ip>.*, we indicate that the user will be able to access from any IP address that forms part of the indicated network.