dinsdag 12 maart 2013

Secure SSH on Centos/RedHat 6

Anyone who uses Linux and needs to manage servers or workstations will use SSH.
In this article I will describe how I limit and secure SSH access to my RedHat/CentOS Linux servers.

First of all create a group of which members are allowed to login using SSH
groupadd lx-ssh-login

Now add a user to that group
usermod -a -G lx-ssh-login ravi

Check if the user is added to the group
id ravi

Now its time to alter the SSH configuration which is located in /etc/ssh/sshd_config

Change the following parameters

Port 4234 <---- Or any port in a high range wich is not used by other processes
ListenAddress <your IP>

Protocol 2

LogLevel INFO

PermitRootLogin no
MaxAuthTries 3

AllowGroups lx-ssh-login

PermitEmptyPasswords no
PasswordAuthentication yes

Restric access to SSH port, only allow specific ranges and enable logging of unauthorized IP's who tries to connect to the SSH port and also limit logging per connection.

iptables -A INPUT -p tcp -s --dport 4234 -j ACCEPT
#log all other tries to this port
iptables -A INPUT -p tcp --dport 4234 -m limit 5/m --limit-burst 7 -j LOG --log-prefix " # SSH UNAUTHORIZED #"

# DROP all other (Not needed f you already have a general DROP rule)
iptables -A INPUT -p tcp --dport 4234 -j DROP

It is also possible to change the /etc/sysconfig/iptables file. You could also allow or deny access on a per host base by editting /etc/hosts.allow or /etc/hosts.deny but that doesn't provides as much options as IPTABLES does.

Restart daemons
To apply above changes you should only restart the SSH daemon. If you edited IP tables configuration by changing the /etc/sysconfig/iptables file then you also need to restart the IPTABLES daemon.

sudo service sshd restart

sudo service iptables restart

This is a very basic way to secure SSH from unauthorized access.

I will describe SSH access with public keys in a next article.

1 opmerking: