OpenSSH Server Installation and Configuration

Today’s plan is to install an OpenSSH server on a local Debian VM, generate public and private SSH keys for a general user and configure SSH server to use public key authentication with password authentication disabled.

Install OpenSSH Server

Installation is as simple as below.

# apt-get update && apt-get install openssh-server

Generate Public and Private SSH Keys

We’ll do everything with the user we want to generate the keys for (sandy in this case), and not with root.

Generate public and private keys:

$ ssh-keygen -b 2048 -t rsa -C "[email protected]" -f ~/my_key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sandy/my_key.
Your public key has been saved in /home/sandy/my_key.pub.
The key fingerprint is:
76:18:5f:94:10:d4:7f:64:b8:d3:76:e1:a7:af:c7:[email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| .++.. . S o ++  |
+-----------------+

Create a directory we will use to store the public key:

$ mkdir ~/.ssh 
$ chmod 0700 ~/.ssh

Move the public key into the new directory:

$ mv ~/my_key.pub ~/.ssh/my_key

Rename the private key for the sake of convenience:

$ mv ~/my_key ~/my_key.pem

Change permissions to owner read-only for both public and private keys:

$ chmod 0400 ~/.ssh/my_key ~/my_key.pem

We need to copy the private key from the Debian server to our PC and keep it safe.

Configure OpenSSH Server

We need to open the OpenSSH configuration file for editing:

# vim /etc/ssh/sshd_config

Note that depending on the OS, some of the configuration options provided below may be set already.

Disable OpenSSH Banner

DebianBanner no

Change Default Port and Set Protocol to Version 2

Port 12 # (change to any unassigned privileged port)
ListenAddress 0.0.0.0 # (listen on IPv4 only)
Protocol 2 # (disable the protocol version 1 since it's been exposed)

Use Approved Ciphers

Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode.

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

Man sshd_config(5) for a list of the ciphers supported for the current release of the SSH daemon.

HostKeys for Protocol Version 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

Create Unprivileged Child Processes (Privilege of the Authenticated User)

UsePrivilegeSeparation yes

Set Server Key Parameters

KeyRegenerationInterval 3600
ServerKeyBits 2048 # (applies to the protocol version 1)

Enable Logging

SyslogFacility AUTH # (this goes to /var/log/auth.log)
LogLevel INFO # (info is fine for basic failed login attempts)

Disconnect if No Successful Login is Made in One Minute

LoginGraceTime 60

Timout SSH Connection After 10 Minutes of User Inactivity

ClientAliveInterval 600
ClientAliveCountMax 3

Disable root Login

PermitRootLogin no # (may be set to without-password if in use with a private key)

Check File Modes and Ownership of the User’s Files Before Login

StrictModes yes

Define Users and Groups Which Can Gain Access via SSH

# whitespaces separated users lists
AllowUsers sandy # (only sandy's account is allowed to login via SSH)
DenyUsers root
DenyGroups root

Do Not Look Up the Remote Host Name

UseDNS no

Disable Password Authentication and Disallow Empty Passwords

PasswordAuthentication no
PermitEmptyPasswords no

Enable Public Key Authentication

PubkeyAuthentication yes
AuthorizedKeyFile %h/.ssh/my_key

Disable Insecure Access via rhosts Files

SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.

IgnoreRhosts yes

Disable Host-based Authentication

It is not recommended that hosts unilaterally trust one another.

HostBasedAuthentication no

Disable Unneeded Authentications Mechanisms for Security Purposes

RSAAuthentication no
RhostRSAAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

Do Not Allow Users to Set Environment Options

Prevent users from potentially bypassing some access restrictions.

PermitUserEnvironment no

Enable Compression After Successful Authentication

Compression delayed

Limit Number of Authentication Attempts and Max Sessions

MaxAuthTries 2 # (login attempts per connection)
MaxSessions 10

Disable X Forwarding

X11Forwarding no
X11DisplayOffset 15 # (just in case we need to change the above to "yes")

Print the Date and Time of the Last User Login

PrintLastLog yes

Disable Message of the Day – Not Needed

PrintMotd no

Send TCP Keepalive Messages to the Other Side

TCPKeepAlive yes

No Login for Interactive Login Sessions

UseLogin no

Show Banner (Some Scary Text Usually)

Banner /etc/issue.net

Allow Client to Pass Locale Environment Variables

AcceptEnv LANG LC_*

Implement the SFTP File Transfer Subsystem

Subsystem sftp /usr/lib/openssh/sftp-server

Disable Pluggable Authentication Module Interface

UsePAM no

Restart SSH Service

# service ssh restart

Configure Iptables

# iptables -A INPUT -p tcp --dport 12 -j ACCEPT

Connect to OpenSSH Server

$ ssh -24x -i /path/to/file/my_key.pem [email protected]_ip -p12

Check SSH Logs for Any Invalid Users (Break-in Attempts)

# cat /var/log/auth.log | grep "Invalid user" | cut -d " " -f 1-3,6-11 | uniq | sort
 Nov 11 19:31:33 Invalid user patrick from 10.131.14.38

OpenSSH Config Options to Copy

DebianBanner no
Port 12 
ListenAddress 0.0.0.0 
Protocol 2
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 2048 

SyslogFacility AUTH 
LogLevel INFO 

LoginGraceTime 60
ClientAliveInterval 600
ClientAliveCountMax 3
PermitRootLogin no 
StrictModes yes
AllowUsers sandy 
DenyUsers root
DenyGroups root

UseDNS no

PasswordAuthentication no
PermitEmptyPasswords no

PubkeyAuthentication yes
AuthorizedKeyFile %h/.ssh/my_key

IgnoreRhosts yes
RSAAuthentication no
RhostRSAAuthentication no
HostBasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

PermitUserEnvironment no
Compression delayed

MaxAuthTries 2 
MaxSessions 10

X11Forwarding no
X11DisplayOffset 15 
PrintLastLog yes
PrintMotd no
TCPKeepAlive yes
UseLogin no

Banner /etc/issue.net

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no

Related Posts

Mount Remote Filesystem with SSHFS on Debian

Setup DenyHosts with Email Notifications on Debian Wheezy

Leave a Reply

Your email address will not be published. Required fields are marked *