Monday, 29 July 2013

Centos 6/RHEL OpenSSH harden shell environment

The secure shell (SSH) is the basic toolkit that provides remote access to your server to perform maintenance, upgrades, install packages, transfer files, or facilitate whatever action you need to carry out as the administrator in a secure environment.

With a few rudimentary configuration changes you can deny root access, add a welcome banner, and protect your server from unwanted guests. Here we use the OpenSSH version.

Once installed first back up the config file after logging in as root.

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Open up the sshd configuration file for editing

# sudo vi /etc/ssh/sshd_config

First adjust the time allowed to log in, scroll down to the line

#LoginGraceTime 2m

Change the line to

LoginGraceTime 60

A few lines further down to the line that reads

#PermitRootLogin yes

Change it to

PermitRootLogin no

Next find the following two lines

#X11Forwarding no
X11Forwarding yes

And change them to

X11Forwarding no
#X11Forwarding yes

Uncomment the following lines

PrintMotd yes
PrintLastLog yes

Now save and close the sshd_config file before opening the following to create the welcome banner.

# vi /etc/motd

Add the banner to the file, an example could be

This computer system is for authorized users only. All activity
is logged and regularly checked. Individuals using this system
without authority or in excess of their authority are subject to
having all their services revoked...

Save and close the file and restart the sshd daemon

# service sshd restart

You can open up a new ssh session you make sure everything is running fine before closing the first session with

# exit

You should now find that root access to the shell is denied and you must log in using a standard user account. The next session should open up with the new login banner.

Keep sessions alive

You can set the idle timeout on the server by making adjustments in the config file.

# vi /etc/ssh/sshd_conf

Scroll down and find the lines

ClientAliveInterval 60
ClientAliveCountMax 5

The first line instructs the server to wait 60 seconds after the last input before it sends a packet which requires a response.

The second line sets the number of missed or no response intervals to 5 before it assumes the connection has been dropped.

Set these to your preferred values.

Now find and uncomment the following line

TCPKeepAlive yes

This will tell the SSH server to issue TCPKeepAlive packets to discover if the connection is still valid. Consequently, even if your session times out, this feature will terminate the
current session and prevent it from hanging and becoming a zombie.

Finally restart the server for the settings to take effect

$ sudo service sshd restart

No comments:

Post a Comment