Today’s plan is to install an OpenSSH server on a local Debian VM, generate public and private SSH keys for a general user and configure SSH server to use public key authentication with password authentication disabled.
Install OpenSSH Server
Installation is as simple as below.
# apt-get update && apt-get install openssh-server
Generate Public and Private SSH Keys
We’ll do everything with the user we want to generate the keys for (sandy in this case), and not with root.
Generate public and private keys:
$ ssh-keygen -b 2048 -t rsa -C "[email protected]" -f ~/my_key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/sandy/my_key. Your public key has been saved in /home/sandy/my_key.pub. The key fingerprint is: 76:18:5f:94:10:d4:7f:64:b8:d3:76:e1:a7:af:c7:0d [email protected] The key's randomart image is: +--[ RSA 2048]----+ | .++.. . S o ++ | +-----------------+
Create a directory we will use to store the public key:
$ mkdir ~/.ssh $ chmod 0700 ~/.ssh
Move the public key into the new directory:
$ mv ~/my_key.pub ~/.ssh/my_key
Rename the private key for the sake of convenience:
$ mv ~/my_key ~/my_key.pem
Change permissions to owner read-only for both public and private keys:
$ chmod 0400 ~/.ssh/my_key ~/my_key.pem
We need to copy the private key from the Debian server to our PC and keep it safe.
Configure OpenSSH Server
We need to open the OpenSSH configuration file for editing:
# vim /etc/ssh/sshd_config
Note that depending on the OS, some of the configuration options provided below may be set already.
Disable OpenSSH Banner
DebianBanner no
Change Default Port and Set Protocol to Version 2
Port 12 # (change to any unassigned privileged port) ListenAddress 0.0.0.0 # (listen on IPv4 only) Protocol 2 # (disable the protocol version 1 since it's been exposed)
Use Approved Ciphers
Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Man sshd_config(5) for a list of the ciphers supported for the current release of the SSH daemon.
HostKeys for Protocol Version 2
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key
Create Unprivileged Child Processes (Privilege of the Authenticated User)
UsePrivilegeSeparation yes
Set Server Key Parameters
KeyRegenerationInterval 3600 ServerKeyBits 2048 # (applies to the protocol version 1)
Enable Logging
SyslogFacility AUTH # (this goes to /var/log/auth.log) LogLevel INFO # (info is fine for basic failed login attempts)
Disconnect if No Successful Login is Made in One Minute
LoginGraceTime 60
Timout SSH Connection After 10 Minutes of User Inactivity
ClientAliveInterval 600 ClientAliveCountMax 3
Disable root Login
PermitRootLogin no # (may be set to without-password if in use with a private key)
Check File Modes and Ownership of the User’s Files Before Login
StrictModes yes
Define Users and Groups Which Can Gain Access via SSH
# whitespaces separated users lists AllowUsers sandy # (only sandy's account is allowed to login via SSH) DenyUsers root DenyGroups root
Do Not Look Up the Remote Host Name
UseDNS no
Disable Password Authentication and Disallow Empty Passwords
PasswordAuthentication no PermitEmptyPasswords no
Enable Public Key Authentication
PubkeyAuthentication yes
AuthorizedKeyFile %h/.ssh/my_key
Disable Insecure Access via rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
IgnoreRhosts yes
Disable Host-based Authentication
It is not recommended that hosts unilaterally trust one another.
HostBasedAuthentication no
Disable Unneeded Authentications Mechanisms for Security Purposes
RSAAuthentication no RhostRSAAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no
Do Not Allow Users to Set Environment Options
Prevent users from potentially bypassing some access restrictions.
PermitUserEnvironment no
Enable Compression After Successful Authentication
Compression delayed
Limit Number of Authentication Attempts and Max Sessions
MaxAuthTries 2 # (login attempts per connection) MaxSessions 10
Disable X Forwarding
X11Forwarding no X11DisplayOffset 15 # (just in case we need to change the above to "yes")
Print the Date and Time of the Last User Login
PrintLastLog yes
Disable Message of the Day – Not Needed
PrintMotd no
Send TCP Keepalive Messages to the Other Side
TCPKeepAlive yes
No Login for Interactive Login Sessions
UseLogin no
Show Banner (Some Scary Text Usually)
Banner /etc/issue.net
Allow Client to Pass Locale Environment Variables
AcceptEnv LANG LC_*
Implement the SFTP File Transfer Subsystem
Subsystem sftp /usr/lib/openssh/sftp-server
Disable Pluggable Authentication Module Interface
UsePAM no
Restart SSH Service
# service ssh restart
Configure Iptables
# iptables -A INPUT -p tcp --dport 12 -j ACCEPT
Connect to OpenSSH Server
$ ssh -24x -i /path/to/file/my_key.pem sandy@server_ip -p12
Check SSH Logs for Any Invalid Users (Break-in Attempts)
# cat /var/log/auth.log | grep "Invalid user" | cut -d " " -f 1-3,6-11 | uniq | sort Nov 11 19:31:33 Invalid user patrick from 10.131.14.38
OpenSSH Config Options to Copy
DebianBanner no Port 12 ListenAddress 0.0.0.0 Protocol 2 Ciphers aes128-ctr,aes192-ctr,aes256-ctr HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 2048 SyslogFacility AUTH LogLevel INFO LoginGraceTime 60 ClientAliveInterval 600 ClientAliveCountMax 3 PermitRootLogin no StrictModes yes AllowUsers sandy DenyUsers root DenyGroups root UseDNS no PasswordAuthentication no PermitEmptyPasswords no PubkeyAuthentication yes AuthorizedKeyFile %h/.ssh/my_key IgnoreRhosts yes RSAAuthentication no RhostRSAAuthentication no HostBasedAuthentication no ChallengeResponseAuthentication no KerberosAuthentication no GSSAPIAuthentication no PermitUserEnvironment no Compression delayed MaxAuthTries 2 MaxSessions 10 X11Forwarding no X11DisplayOffset 15 PrintLastLog yes PrintMotd no TCPKeepAlive yes UseLogin no Banner /etc/issue.net AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM no