OpenSSH is an application or a suite for network/security related utility based on Secure Shell Protocol(SSH), which helps to secure communications through the network. Secured communication is achieved through multiple authentication methods.
OpenSSH encrypts all traffic (including passwords) to eliminate connection hijacking and all other network related/level attacks. Network level/traffic authentication is done using public-key encryption methods.
OpenSSH is similar to the default ssh featuring few additional capabilities. OpenSSH was developed by OpenBSD Project and it is an advanced version of the original SSH software by Tatu Ylönen, which is now a proprietary software.
In general – OpenSSH provides a large suite of secured tunnelling, several system and network level authentication methods, and other advanced configuration options. As mentioned earlier OpenSSH uses public-key encryption methods to authenticate its network related traffic.
Installation and Configuration
First Update the Linux repositories using the following command
root@hashroot:/# apt-get update
root@hashroot:/# apt-get upgrade
OpenSSH can be installed on Linux distros using the commands referred below:
Ubuntu : apt-get install openssh-server
CentOS : yum install openssh-server
The above screenshot shown is SSH installation on Ubuntu. Its the same as CentOS except apt-get replaced by yum. Once the application package is installed, you can use the SSH configuration file to modify the default options or configurations.By default, the ssh configuration file is located at /etc/ssh/sshd_config
root@advaita:~# ls /etc/ssh/sshd_config
The default port that ssh listen is 22.
You can modify all the basic connection details and other authentication methods using the ssh configuration file named shd_config. Some of the common SSH hardening steps are mentioned below.
Open the SSH main configuration file /etc/ssh/sshd_config using a text editor available in Linux distros. I’m using vi editor. All the required SSH configurations are done via this file.
root@hashroot:/# vi /etc/ssh/sshd_config
Change default Port
To change the default ssh port you have to find the line that says ‘Port 22’ and change the number of the port. For example, I will change to 4444, so that the final entry will be as shown below:
Maximum Login Attempts
We will configure or set the max login attempts for each user to 3 times. After 3 wrong/unsuccessful login attempts, you will be disconnected automatically. This improves the security of your server as this can be used to prevent brute force attack. To change the maximum login attempts you have to find the line that says ‘MaxAuthTries’ and change the value. For example, I will change to 3, so that the final entry will be as shown below:
This option allows certain users to log in to the server and deny all other users. Here, I’ll add ‘zimbra’ users because my Zimbra Mail Server should have access. To accomplish this add the following line at the end of the main configuration file /etc/ssh/sshd_config.
Similarly, you can add the users that need to be allowed ssh access to the server.
Disable direct root Login
Direct login to a server as the root user is not recommended in Linux systems. So we log in to ssh as a normal user and the switch user to root when required. To switch user to root from a normal user use the su command.
Modify the entries as shown below in the SSH main configuration file /etc/ssh/sshd_config to disable direct root login.
After the changes are made to the ssh configuration file, restart the sshd daemon to make the changes reflect. Any changes made in the ssh main configuration file /etc/ssh/sshd_config needs to be accompanied by sshd service restart using the following command. Also, make sure to check the status using the service status command as shown below:
root@hashroot:/# service ssh restart
root@hashroot:/# service ssh status
Loggin into SSH
There are many ways we can login to a Linux server using SSH. Either you can use a Graphical application that supports ssh protocol or you can use the SSH command line utility that Linux offers. There are many ssh applications like Putty, that allow a user to ssh a server using Windows Client. I’m explaining the command line utility here.
The command format to connect to SSH is shown below
ssh user@hostname-or-ip -p <Port Number>
For example, if we need to connect to a remote Linux server having IP address “192.168.1.156”, user as “root” and the ssh port is 4444, then use the following command.
ssh firstname.lastname@example.org -p 4444
This will prompt a password for the Linux user “hashroot”. Enter the password for the user “hashroot” on server 192.168.1.156 to log in. You can find the screenshot below
Now you have logged into the remote server using SSH. You can get more hardening steps from official OpenSSH website https://www.openssh.com/