Tuesday, April 20, 2010

Make use of SSH

Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports; file transfer can be accomplished using the associated SFTP or SCP protocols.

Install

Here is how to install it (Debian):
apt-get install ssh

Client

The ssh client configuration is in /etc/ssh/ssh_config. It recommended to change 'Protocol' line to (Only Protocol 2 will be used, since Protocol 1 is considered insecure):
Protocol 2
I would recommend you PuTTY Tray if you are connecting from Windows. You can also download sample registry sessions here.

Server

The SSH daemon configuration file can be found in /etc/ssh/sshd_config.
Disable SSH connections on ipv6:
#AddressFamily any # default
AddressFamily inet # IPv4 only
#AddressFamily inet6 # IPv6 only
To allow access only for some users add this line:
AllowUsers userA userB
However consider manage this at user group level:
AllowGroups sshusers
It is recommended prohibit root login:
PermitRootLogin no
Configure idle log out timeout interval (in seconds):
# Sets a timeout interval in seconds after which if no data has
# been received from the client, sshd will send a message through
# the encrypted channel to request a response from the client.  The
# default is 0, indicating that these messages will not be sent to
# the client.
ClientAliveInterval 300

# Sets the   number of client alive messages (see above) which may be sent
# without sshd receiving any messages back from the client.  If this
# threshold is reached while client alive messages are being sent, sshd
# will disconnect the client, terminating the session.
ClientAliveCountMax 0

Secure Server

To let other people ssh to your machine you need to adjust /etc/hosts.allow:
# let everyone connect to you
sshd: ALL
# OR you can restrict it to a certain ip
sshd: 192.168.0.1
# OR restrict for an IP range
sshd: 10.0.0.0/255.255.255.0
# OR restrict for an IP match
sshd: 192.168.1.
So with allowed rules we need prohibit everyone else /etc/hosts.deny:
ALL: ALL: DENY
Restart sshd deamon (Debian):
/etc/init.d/ssh restart
That's it. You can read more about ssh here. Best practices securing ssh are here.

No comments :

Post a Comment