More ways to secure SSH access

Posted by / Jan 20, 2016 / Categories: Security

Note: this is based on Ubuntu 14.04 LTS, but other distributions will provide similar support, but with different package names and file locations.

You’ve secured your VPS access with SSH and you’ve enabled public keys for all your accounts. What else can you do to deter intruders?

Changing your SSH server’s listening port

Some people recommend moving your SSH server to listen on a different port number to deter casual or automated attacks. Take a look in /etc/services and choose an unused number, 24 for instance.

Now, edit your SSHd config file (/etc/ssh/sshd_config on Ubuntu), and change the line that specifies the port to listen on:

 # What ports, IPs and protocols we listen for
 Port 22

Change 22 to your new selection and save the file. Don’t forget to restart the SSH server:

 sudo service ssh restart

This won’t add much to your overall security as any determined attack will find your SSH server in no time with a port scan. You’ll also probably curse yourself more than once because you forget to specify the port and can’t think why you can’t connect, or you forget to open the firewall and lock yourself out entirely until you resort to console access.

Restricted access

Do you really need to be able to access your VPS from _everywhere_? Do all of your user accounts need SSH access? Chances are you could restrict these and reduce your risk a little with some changes in the SSHd configuration file (/etc/ssh/sshd_config):

 # Restrict access to root from known IPs and sshusers group only
 AllowUsers root@192.168.1.17 root@192.168.111.191
 AllowGroups sshusers

I allow root access from home and work (IP addresses have been changed to protect the innocent) to run rsync backups of my VPS, but members of the sshusers group can connect from anywhere. If you didn’t need that you could just add the IP address to restrict the locations for everyone:

AllowUsers *@192.168.1.17 *@192.168.111.191

 

2FA – Two Factor Authentication

If you really do need access from (potentially) anywhere, then why not add another factor to your authentication? You might already have an app like Google Authenticator or Authy on your mobile phone, but did you know that you can easily use it with your SSH server?

There are three main steps: install the software to generate and check the keys, set up your authentication key, configure PAM and SSH on your VPS.

Installing the software

This should be as simple as installing a package on your system:

 sudo apt-get install libpam-google-authenticator

If the Google Authenticator package is available in your distribution, you’re on your way.

Set up your key

The next step is to create a key for your user on your VPS and link that to the app on your phone (or other device). The previous step will have installed the google-authenticator command which you run to create a key for your user (you’ll need to do this for each user account that you want to be able to login).

Make sure the you answer ‘y’ to updating your .google_authenticator file, at least. It’s safe to answer ‘yes’ to all of the questions it asks (though you might not want single use tokens, rate limiting or a 4 minute validity window, dependent on your own preference and setup).

You’ll get a QR code that you can scan with your app, and some codes like this:

 Your new secret key is: VNAA73ZT2INXNNX7

 Your verification code is 898899
 Your emergency scratch codes are:
   57861391
   29123972
   12879039
   35728133
   39111523

If you’re using the Google Authenticator app, you can now select ‘Set up account’ from the menu and either scan the QR code or enter the key by hand.

Your app should now give you a 6-digit code every 30 seconds or so that you can use when you log in to your VPS using SSH.

Keep the emergency scratch codes in a safe place (not your phone), they’ll come in handy if ever you drop your phone in a river and lose access to your app.

Configuring PAM and SSH

This is the final step. First add the requirement for the authentication key to PAM’s SSH configuration in /etc/pam.d/sshd

Locate the following lines:

 # Standard Un*x session setup and teardown.
 @include common-session

and add this after them:

 auth       required     pam_google_authenticator.so

Now update your SSHd configuration in /etc/ssh/sshd_config. Find the line containing ChallengeResponseAuthentication; make sure there’s no # symbol at the start of it and set the value to ‘yes’. If you can’t find that line, just add the whole line to the file:

 ChallengeResponseAuthentication yes

Make sure that you also have the following line in there somewhere:

 UsePAM yes

You can also explicitly set the required Authentication methods, for example, to require a public key to be provided and a password to be entered for login:

 AuthenticationMethods publickey,keyboard-interactive

When you’re done, restart the SSH server:

 sudo service ssh restart

Now try logging in, you should get asked for your password, and then the verification code. Enter the verification code from your app, and you should be logged in.

It’s a good idea not to log out your initial session before making sure that your changes work.

About the author
This is a customer contributed article from Matthew. Matthew is a father of two, a free software enthusiast and developer, an occasional systems administrator, and a writer, in roughly that order. He lives and works in Wellington, New Zealand.