قالب وردپرس درنا توس
Home / Tips and Tricks / Best ways to back up your SSH server

Best ways to back up your SSH server



  A stylized SSH prompt in a terminal window on a laptop.
Eny Setiyowati / Shutterstock.com

Secure the SSH connection of your Linux system to protect your system and data. Both system administrators and home users must secure computers connected to the Internet. SSH, however, can be complicated. Here are ten simple quick wins to protect your SSH server:

SSH Security Basics

SSH stands for Secure Shell. The name "SSH" is used synonymously to denote either the SSH protocol itself or the software tools that system administrators and users can use to establish secure connections to remote computers using this protocol.

The SSH protocol is an encrypted protocol that provides a secure connection over an insecure network such as the Internet. SSH on Linux is based on a portable version of the OpenSSH project. It is implemented in a classic client-server model where an SSH server accepts connections from SSH clients. The client is used to connect to the server and display the session for the remote user . The server accepts the connection and performs the session .

In the default configuration, an SSH server monitors Transmission Control Protocol (TCP) port 22 for incoming connections. The well-known port is a target for threat actors and malicious bots.

Threat agents launch bots that scan a range of IP addresses for open ports. The ports are then checked for vulnerabilities that can be exploited. To think, "I'm sure there are bigger and better goals than I can target the bad guys," is a wrong reasoning. Bots do not choose goals based on merit. They systematically search for systems that they can violate.

You nominate yourself as a victim if you have not secured your system.

Vulnerability

Vulnerability is a bit of a source of confusion for users, and others experience when implementing security measures. We have long memories and can remember how we introduced new users to a computer system and horrified to ask them whether they really had to enter a password for each login to the mainframe. It was a security hole for them.

(Incidentally, the invention of the password goes back to Fernando J. Corbató, another figure in the Pantheon of Computer Scientists, whose collaborative work contributed to the circumstances that led to the birth of Unix.)

The introduction of security measures is usually for someone with friction. Entrepreneurs have to pay for it. Computer users may need to change their familiarity, remember other authentication details, or add additional steps to make a successful connection. The system administrators must perform additional work to implement and maintain the new security measures.

Hardening and locking a Linux or Unix-like operating system can be very fast and time-consuming. What we are presenting here are some easy-to-implement steps to improve the security of your computer without the need for third-party applications and without searching your firewall.

These steps are not the last word in SSH security, but they take you far from the default settings and without too much frictional loss.

Use the SSH Protocol Version 2

In 2006, the SSH protocol was upgraded from version 1

to version 2, which was a significant upgrade. There have been so many changes and improvements, especially in terms of encryption and security, that version 2 is not backward compatible with version 1. To prevent connections from Version 1 clients, you can set your computer to accept only connections from Version 2 clients. [19659006] Edit the file / etc / ssh / sshd_config . We will do this frequently in this article. Whenever you need to edit this file, this is the command to use:

  sudo gedit /etc/ssh/sshd_config 

  sudo gedit / etc / ssh / sshd_config in a terminal window

Add the line added:

  log 2 

  sshd_config in gedit with the highlighted changes

and save the file. We will restart the SSH daemon process. Also in this article we will do a lot. This is the command to use:

  sudo systemctl restart sshd 

  sudo gedit / etc / ssh / sshd_config in a terminal window

Let's see if our new setting is in effect. We will jump to another computer and try to run SSH on our test computer. And we will use the option -1 (protocol 1) to force the command ssh to use protocol version 1.

  ssh -1 dave@howtogeek.local 

  ssh -1 dave@howtogeek.local in a terminal window

Great, our connection request is declined. Let's make sure that we can continue to connect to Protocol 2. We use the option -2 (Protocol 2) to prove the fact.

  ssh -2 dave@howtogeek.local 

  ssh -2 dave & # 39; howtogeek.local in a terminal window

The fact that the SSH server is requesting our password is a positive indication of this that the connection was made and you interact with the server. Because modern SSH clients use protocol 2 by default, we do not need to specify protocol 2 as long as our client is up-to-date.

  ssh dave@howtogeek.local 

  ssh dave@howtogeek.local in a terminal window

And our connection is accepted. Therefore, only the weaker and less secure Protocol 1 connections are rejected.

Avoid port 22

Port 22 is the default port for SSH connections. Using a different port increases the security of your system. Security through unknownness is never seen as a real security measure, and I have objected to it in other articles. In fact, some of the smarter attack bots check all open ports and determine what service they offer instead of relying on a simple list of ports and assuming they provide the usual services. However, using a non-standard port can help reduce the noise and bad traffic on port 22.

To configure a non-default port, edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config [19659041] SSH configuration file in gedit with highlighted changes " width="646" height="342" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

Remove the hash at the beginning of the line "Port" and replace the "22" with the port number of your choice. Save your configuration file and restart the SSH daemon:

  sudo systemctl restart sshd 

Let us see what effect this had. On our other computer we use the command ssh to connect to our server. The command ssh uses port 22 by default:

  ssh dave@howtogeek.local 

 ssh dave@howtogeek.local in a terminal window

Our connection was denied. Let's try again and specify port 470 with the option -p (port):

  ssh -p 479 dave@howtogeek.local 

 ssh -p 479 dave@howtogeek.local in a terminal window ]

Our connection is accepted.

TCP wrapper filter connections

TCP wrappers are an easy-to-understand ACL. You can exclude and allow connections based on the connection request characteristics such as IP address or host name. TCP wrappers should be used in conjunction with rather than a properly configured firewall. In our particular scenario, we can significantly improve things by using TCP wrappers.

TCP wrappers have already been installed on the Ubuntu 18.04 LTS computer on which this article was researched. It had to be installed on Manjaro 18.10 and Fedora 30.

Use the following command to install on Fedora:

  sudo yum install tcp_wrappers 

 sudo yum install tcp_wrappers in a terminal window [19659006] Use the following command to install on Manjaro:

  sudo pacman syu tcp wrapper 

 sudo pacman syu tcp wrapper in a terminal window

There are two files involved. One contains the allowed list and the other the rejected list. Edit the Deny List with:

  sudo gedit /etc/hosts.deny[19659044[19459053[sudogedit/etc/hostsdenyineinenterwindow" width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

This opens the gedit editor with the denial file loaded in it.

 hosts.deny file loaded in gedit

You must add the following line:

  ALL: ALL 

And save the file. This will block any unauthorized access. We now have to authorize the connections you want to accept. To do this, you must edit the admission file:

  sudo gedit /etc/hosts.allow[19659044[19459057[sudogedit/etc/hostsallowinaterminalwindow" width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

This will open the editor gedit with the one loaded in it permission file.

 hosts.allow file loaded in gedit with changes highlightsd

We have added in the SSH daemon name, SSHD and the IP address of the computer over which a connection is to be made. Save the file and see if the restrictions and permissions are in effect.

First, we try to connect to a computer that is not in the file hosts.allow :

 SSH connection rejected by TCP wrappers [19659006] The connection is rejected. We will now try to connect from the computer under the IP address 192.168.4.23:[19659006[19459063<SSHconnectionbyCPCPWrapperallowed" width="646" height="77" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/>

Our connection is accepted.

Our example here is a bit brutal - Only a single computer can connect. TCP wrappers are very versatile and flexible. It supports host names, wildcards, and subnet masks to accept connections from IP address ranges. It is recommended to read the manpage.

Rejecting connection requests without a password

Although not a good practice, a Linux system administrator can create a user account without a password. This means that remote connection requests from this account do not have a password to match. These connections are accepted but not authenticated.

The default settings for SSH accept connection requests without passwords. We can easily change that and make sure all connections are authenticated.

We need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 SSH configuration file loaded in gedit with The changes have been highlighted.

Scroll down the file until you see the line labeled "#PermitEmptyPasswords no." see. Remove the hash # from the beginning of the line and save the file. Restart the SSH daemon:

  sudo systemctl restart sshd 

Use SSH keys instead of passwords

SSH keys provide a secure way to log in to an SSH server. Passwords can be guessed, cracked or brutally enforced. SSH keys are not open for such attacks.

When you generate SSH keys, you create a key pair. One is the public key and the other is the private key. The public key is installed on the servers to which you want to connect. The private key is, as the name suggests, stored securely on your own computer.

SSH keys allow you to create connections without a password that are - intuitively - more secure than connections with password authentication.

When you make a connection request, the remote computer uses the copy of your public key to create an encrypted message that is sent back to your computer. Because it was encrypted with your public key, your computer can decrypt it with your private key.

Your computer then extracts some information from the message, including the session ID, encrypts it, and sends it back to the server. If the server can decrypt it with its copy of your public key and the information in the message matches what the server has sent to you, it confirms that your connection is yours.

This is a connection made to the server at 192.168.4.11, by a user with SSH keys. Note that they are not prompted for a password.

  ssh dave@192.168.4.11 

 SSH request authenticated by an SSH key in a terminal window

SSH keys deserve an article in their own right. We have one handy for you. How to Create and Install SSH Keys:

RELATED: How to Create and Install SSH Keys Through the Linux Shell

Disable Password Authentication in Its entirety

The logical extension of using SSH keys is that you can completely disable password authentication if all remote users are forced to do so.

We need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 Gedit editor with SSH configuration file loaded and highlighted changes

Scroll through the file until the line beginning with "#PasswordAuthentication yes" appears. Remove the hash # at the beginning of the line, change the "yes" to "no" and save the file. Restart the SSH daemon:

  sudo systemctl restart sshd 

Disable X11 forwarding

X11 forwarding enables remote users to run graphical applications from your server through an SSH session. In the hands of a threat actor or a malicious user, a GUI interface can facilitate their malicious intentions.

A standard cyber security mantra is: If you do not have a good reason to enable it, disable it. To do this, edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 gedit editor with loaded ssh configuration file and highlighted changes

Scroll down the file until you see see the line starting with "# X11Forwarding no". Remove the hash # from the beginning of the line and save the file. Restart the SSH daemon:

  sudo systemctl restart sshd 

Setting an Idle Timeout

This could be because there is an SSH connection to your computer and there has been no activity on the computer for a certain period of time be a security risk. There is a possibility that the user has left his desk and is otherwise busy. Anyone else passing by his desk can sit down and use his computer and SSH your computer.

It's much safer to set a time limit. The SSH connection is disconnected when the inactive period is out of time. We are editing your SSH configuration file again:

  sudo gedit / etc / ssh / sshd_config 

 gedit editor with SSH configuration file loaded and highlighted changes

Scroll down the file until you get to see the line beginning with "#ClientAliveInterval 0" Remove the hash # from the beginning of the line and change the digit 0 to the desired value. We used 300 seconds, that's 5 minutes. Save the file and restart the SSH daemon:

  sudo systemctl restart sshd 

Set a password attempt limit

Setting a limit on the number of authentication attempts can help password guessing and brute guessing To prevent -Force attacks. After the specified number of authentication requests, the user is disconnected from the SSH server. By default, there is no limit. But that is quickly fixed.

Again we need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 gedit editor with loaded ssh configuration file and highlighted changes

Scroll through the File until you see the line beginning with "#MaxAuthTries 0". Remove the hash # from the beginning of the line and change the digit 0 to the desired value. We used 3 here. Save the file when you made your changes and restart the SSH daemon:

sudo systemctl restart sshd

You can test this by trying to connect and intentionally enter an incorrect password.

 The user was disconnected after two invalid authentication attempts in a terminal window.

Note that the MaxAuthTries number appeared to be one more than the number of attempts the user had allowed. After two bad attempts, our test user is disconnected. This was set to three with MaxAuthTries.

Disabling Root Logins

It is not good practice to log in as root on your Linux computer. You should log in as a normal user and use sudo to perform actions that require root privileges. In addition, you should not allow root to log in to your SSH server. Only regular users should be allowed to connect. If they need to perform an administrative task, they should also use sudo . If you need to allow a root user to log in, you can at least force him to use SSH keys.

For the last time we need to edit your SSH configuration file:

  sudo gedit / etc / ssh / sshd_config 

 gedit editor with loaded ssh configuration file and highlighted changes

Scroll through the file until you see the line beginning with "#PermitRootLogin prohibit-password" Remove the hash # from the beginning of the line.

  • If you want to prevent root from logging in, replace "prohibit-password" with "no".
  • If you are going to allow root to log in but force it to use SSH keys, leave "prohibit-password" enabled.

Save your changes and restart the SSH daemon:

   sudo systemctl restart sshd  

The Ultimate Step

If SSH does not need to be run on your computer at all Make sure it is disabled.

  sudo systemctl stop sshd 
  sudo systemctl disable sshd 

If you do not open the window, no one can get in.




Source link