5 Basic SSH Security Tips

brute force detection chroot jail passwords root Secure Shell security ssh Timeout Interval

July 20th, 2011 By:

SSH (Secure Shell) is designed with security in mind.  In the old days, people often used Telnet to connect to their servers, but that was back when servers were down the hall, not over the vast expanse of the uncharted Internet.  SSH adds a layer of encryption to the transmission, ensuring that you can connect to your dedicated server or virtual private server (VPS) without the risk of having your password intercepted.

Although SSH is more secure than most Internet protocols by default, you can still do more to make it even more secure.  The following are five tips for SSH security bliss.

1. Restrict Root logins.  There is no reason, under normal circumstances, to allow direct root logins to your server.   The system administrator can become root once logged in (using su or sudo), but there is no reason to risk having your root account directly exposed to the Internet.  With root logins restricted, attackers will not easily gain access, even if they manage to find out the password.

2. Jail users in chroot directories. Linux and Unix servers have permissions in place to prevent a normal user from doing something crazy, like deleting all the files in /etc, but nothing prevents them from seeing those files.  Using chroot, you can restrict users to their own /home directories.

3. Install Brute Force Detection software.  Attackers use brute force techniques to find out your password and do naughty things with your server.  Good brute force detection software can neutralize attempts as soon as they start.

4. Require secure passwords and periodic rotations.  As the sysadmin, you can set password strength requirements and also require users to periodically change their passwords.

5. Set the Timeout Interval.  One very useful feature in the SSH configuration file is the ability to set  a timeout interval so that users do not stay logged in, even when they forget to logout.  This keeps things tidy and prevents people from sneaking into always-logged-in user accounts.


SPONSOR SHOWCASE
Corero Network Security

* Real-time DDoS protection for you and your customers
* Purpose built DDoS protection appliance deployed at the Internet edge
* On-premises technology is designed to handle volumetric network-based DDoS attacks or floods, reflective and amplified spoof attacks, like DNS and NTP attacks, as well as application layer attacks - such as slow loris, slow read etc
* Unique, slim-line appliance family delivers 10 Gbps full-duplex performance in a 1/4 wide, 1 RU form factor, enabling Hosting providers to deploy a combination of SmartWall TDS appliances to deliver the performance, connectivity and security required
* Providers are now enabled to offer creative new offerings, such as DDoS and cyber threat protection, enhanced security SLAs as well as visibility and reporting through an analytics portal that can be leveraged as a premium service offering