Below are the security recommendations for SSH hardening the servers hosted in the public cloud.
1) Do not enable root user login for SSH client access.
PermitRootLogin no
Most of the malware infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script.
2) Do not enable the password authentication.
PasswordAuthentication no
There are high chances for cracking any level of strong passwords using the brute force attack.
3) Trust the ssh keypair authentication.
RSAAuthentication yes PubkeyAuthentication yes
Using SSH keys for authentication virtually eliminates the risk posed by brute-force password attacks and nearly impossible for anyone to hack the key-pair.
Caution: NSA would already have their own algorithm to hack any kind of SSH keys 🙂
4) Don’t forget Fail2ban
apt-get install fail2ban
Fail2ban scans log files and bans IPs that show the malicious signs or too many password failures.
5) Strong Passwords
be?a#espa!UWEtH2 <-- Sample 16bit password.
Use the below link to generate strong passwords https://identitysafe.norton.com/password-generator
Caution: Don’t forget to memorise 🙂 or you could save in your local system.
6) Different Port number (optional)
port 22
You may consider running ssh service in the different port number other than 22. But make sure no other service port will conflict with the port number you have chosen for ssh service.
_______________
Thanks & Regards,
Vinoth Kumar Selvaraj
Leave a Comment