Secure Shell (SSH) is defined as a network protocol to operate network services securely over an unsecured network. The standard TCP port for SSH is 22. The best application of SSH is to remotely login into computer systems by users.
This article will be explaining about the network securities which help the network administrator to secure the service of SSH on any server through multiple ways.
- Port Forwarding
- Disable Password-Based Login And Using PGP Key (Public Key)
- Disable Root Login and Limit SSH User’s Access
- Google Authenticator
- Time Scheduling
- Disable Empty Passwords
Before moving on, Let us first install an SSH server on our client machine using the following command.
|1||sudo apt-get install openssh-server|
Once the SSH services are configured and running, we can begin with our first security measure which is Port Forwarding. Upon initiating the scan on the client’s machine IP address using nmap, it shows that SSH is running on Port 22.
Navigate to /etc/ssh and we will find a file named sshd_config in the client’s machine.
Open the file sshd_config using nano command.
Now change the port 22 to port 2222 as shown in the below screenshot and save the changes made in the sshd_config file. Hence, in this way we have forwarded the port from 22 to 2222.
Now to confirm port forwarding, we will again scan the Client’s IP address using nmap
The output of the nmap shows that TCP port 2222 is opened; however, shows EthernetIP-1 in the service description which doesn’t give an exact description of the service running. So we will run the following nmap command with version detection option
|1||nmap -sV 192.168.1.104|
With the next output of nmap, it is clearly visible that SSH services are running on TCP Port 2222 along with the description of the OpenSSH version.
Secure With Public Key
To begin with this security measure we need to download and install PuTTY Key Generator.
Note: PuTTYgen is a key generator tool for creating SSH keys for PuTTY and stores keys in its own format ( .ppk extension)
Open it and Click on Generate.
Clicking on Generate will initiate the process of generating a Public and Private Key, as shown in the image.
Once Public and Private Key are generated, click on Save Private Key. This will save the key as a Public Key.
Now open the Ubuntu terminal of our server and type ssh-keygen.
The above command will create a folder named .ssh and then create an empty text file with the name authorized_keys in the same folder. After that copy the “ssh_login.ppk” file which was created using PuTTy Key Generator previously and paste it into the .ssh folder as shown in the image.
In the terminal, move into the .ssh folder and type the following command:
|1||puttygen -L “ssh_login.ppk”|
This command will open the key.
Now copy this key and paste it in the empty file named authorized_keys using nano command and save it.
Now open the putty configuration tab, then go to Session tab and give the IP Address & Port Number of your Clients Machine were ssh server is configured.
Now go to data and give Auto-login username.
Navigate to SSH>Auth and give the path of the ssh_login.ppk file (the public key that was generated earlier) and then click Open.
It will simply use the public key to Login into SSH Server without asking for Password.
Open the sshd_config file in /etc/ssh using gedit command. Here we will make changes in line #PasswordAuthentication as shown in the image.
Now we will edit parameter value yes to no and remove the # (hash) as shown in the below image. Once done save the changes made. These changes will disable any user to log into SSH Server using the password.
As you can see these settings have disabled password based login and is indeed asking for a Public Key to log in.
Disable Root Login and Limit SSH User’s Access
To begin with, this security measure you need to make some new User’s using adduser command (New User’s We have Created: h1,h2,h3,h4) then make changes in the sshd_config file in /etc/ssh using gedit command. Type the Following Lines under #Authentication:
#No root login allowed (h2 can log in as sudo –s)
## only allow 1 users h2 (sysadmin)
Remember to save the changes made. This will disable Root Login and will allow the only h2 user to log into ssh server remotely.
As you can see the only h2 user is able to successfully log into SSH Server, where h1 and h3 users permission to log into SSH Server is denied.
To begin with the two-factor authentication over SSH Server, you need to download the google authenticator application on your phone and also install the required dependency package for Ubuntu using the following command:
|1||sudo apt-get install libpam-google-authenticator|
NOTE-The installation of google authenticator will as ask a couple of questions give Yes for every question asked.
After the installation is completed. Open terminal and type command:
We will see a barcode. Scan it using the google authenticator application on your phone.
Once the application has scanned the barcode, it will start generating One Time Password’s as shown in the image.
Now open sshd file in /etc/pam.d using gedit command and make the following changes:
- Add # to @include common-auth
- Add Line (auth required pam_google_authenticator.so) under @include common-password
As shown in the image.
Now open the sshd_config file in /etc/ssh using gedit command and make the following changes.
When we log into SSH Server it will prompt for a verification code, Here we have to enter the One Time Password generated on our google authenticator application. As you can see we have successfully logged into SSH Server using One Time Password.
In this security measure, we are going to set the time limit on SSH service on the server.
Cron is a built-in service of Linux to schedule task, which enables a job (command or script) on the server to run automatically over specified time and date.
Here we are going to schedule SSH services using crontab
We had open crontab in /etc using nano command. Now lets schedule ssh service in a way that it will start for every 2nd minute and will get stop after every 4th minute. The command used to schedule the SSH Service are given below:
|12||*/2 * * * * root service ssh start*/4 * * * * root service ssh stop|
Save the changes made in the file.
Wait for service to reboot. Using nmap we have scan port 22.
|1||nmap -p 22 192.168.1.104|
After running the scan, we will observe that ssh service on port 22 is CLOSED because it is the 4th minute which has started.
Now if our command is working properly it should start itself on every 2nd minute, to confirm it we will again initiate a scan using nmap.
|1||nmap –p 22 192.168.1.104|
As we can see that the port is in the OPEN state now.
Disable Empty Password
In this security measure, as a best practice; one should always disable empty password login to the SSH Server. To enable this setting we need to open the sshd_config file using gedit command and make the following changes:
These changes will simply disable empty password login’s into SSH Server.