- Port: Change the access port for your SSH server. As the saying goes, “security through obscurity is no security at all”, but we’re not going to give an armchair cracker an excuse to think that your public IP is intriguing. The set of ports that most malefactors are interested in are in the 3 digit range, because that’s where the majority of the service ports are defined by the IANA. With that in mind, pick a port well into the 4 digit range, and try to make it something you’ll remember. Of course, you’ll need to make sure that you’re forwarding the correct port on your firewall as well.
- Protocol: Ensure that SSH-1 access is disasbled by specifying “2”. SSH-2 clients are readily available for Linux and Mac via openSSH and Windows via PuTTY, so there’s no excuse for using an outdated protocol with proven security flaws. This also means using an rsa/dsa key pair for your host key. If you find that your default configuration was set to allow SSH-1 connections, you may have to regenerate the host keys with ssh-keygen.
- ClientAliveInterval: Set a timeout for your sessions. This option is specified in seconds and will automatically disconnect you if you’re idle for longer than this duration. This is useful in case you’re pulled away from the computer you’re working at and forget to close your session.
- Use your /etc/hosts.deny and /etc/hosts.allow to your advantage. If you’re only going to be connecting from specific locations, find out the public IPs of those locations and add them to your hosts.allow, while ensuring that hosts.deny denies everything else.
- RSAAuthentication and PubkeyAuthentication: Use assymetric encryption to authenticate yourself by specifying “yes” to these. Making a public and private key pair is easy, and far more secure than any password you could ever dream up (and hope to remember). Controlling physical access to the keyfile is trivial, as well. Limit the number of places it exists. For example, my key only exists in two places: buried in my home directory with restricted permissions, and on my USB drive which stays attached to my keychain. It also uses a strong password which wouldn’t be easily cracked by a dictionary or brute force attack.
- PasswordAuthentication: Disable password based authentication by specifying “no” to this. This goes along with the above. If you’re going to be carrying around your private key, there’s no need to leave the door open for someone to try and brute force their way into your system with a password. You can, however, allow password access from within your own network by using the “match address” parameter in your sshd_config file. There is a caveat with this: if you have a wireless network, please make sure its secure. Use WPA2 encryption with a strong passphrase, filter MAC addresses, set a narrow DHCP scheme, and if you’re truly paranoid, you can use a network mask of more than 24 bits to reduce the number of available addresses across the entire network. In other words, if you set a subnet mask of 28 bits or 255.255.255.240, you effectively have a network of 14 addresses, including your router (xxx.xxx.xxx.1 through xxx.xxx.xxx.14). This handy Subnet Calculator can help you find the fine tune your network to your needs.
Last but not least, check the logs! Make sure that your security measures are effective. If you see an IP that looks malicious and you haven’t set a deny all rule in hosts.deny with explicit allows, add the offending IP’s entire network to the deny list.