Introduction
As my servers are ‘Internet Exposed’, I see hundreds of attempts every day to try and brute-force the access security through SSH. I get around this to some extent by using iptables to only allow SSH from outside my domain to one specific PC within the domain. I can then SSH from that PC to the others within my domain. For me this solution works okay, except that the exposed PC becomes critical in order for me to access my servers whilst away from home. As it’s not hardened or UPS’d like the main ones, this has caused me pain in the past.
Restricting Root
By default it’s possible to login through SSH as root. This is a fairly serious security issue as one thing an attacker can be sure of is that a Linux host will have a root account. I prefer to login with a user account and then sudo to root. This means an attacker has to break two accounts rather than one in order to get root privilages.
- Edit: /etc/ssh/sshd_config
- PermitRootLogin no
Root can no longer login through SSH.
More account restrictions
With the above configuration root cannot login through SSH, but any other account can. This still isn’t ideal as there’s lots of standard accounts on a Linux box. I want to get to the point where an attacker has to guess the account before even starting on the password. The solution to this is to extend the default pam authentication. This is quite flexible and can be configured to allow only one account from outside the local domain whilst all those inside are unrestricted.
- Edit: /etc/pam.d/ssh
- Insert:
# Restrict which accounts can login
account required pam_access.so - Edit: /etc/security/access.conf
- Insert: -:ALL EXCEPT sshacct@servername:ALL EXCEPT LOCAL .domain.org
The above line requires some explanation: The colon’s are seperators between fields and each field is described here:
–
Indicates this is a Deny Rule. A plus would make it an Allow rule.
ALL EXCEPT sshacct@servername
Allow/Deny all logins except user@server where server is the local host.
ALL EXCEPT LOCAL .domain.org
Apply the rule for all logins except those from localhost and .domain.org
In summary, the format of the line is:
Allow/Deny:Accounts:Location
The first matching line will be applied and those not matching any lines will be allowed.