Securing
SSH
Many
network services like telnet, rlogin, and rsh are vulnerable to eavesdropping
which is one of several reasons why SSH should be used instead. Red Hat's
default configuration for SSH meets the security requirements for many
environments. However, there are a few parameters in /etc/ssh/sshd_config that
you may want to change on RHEL and other Linux systems.
The chapter Restricting System Access from Servers and Networks shows how direct logins can be disabled for shared and system accounts including root. But it's prudent to disable direct root logins at the SSH level as well.
The chapter Restricting System Access from Servers and Networks shows how direct logins can be disabled for shared and system accounts including root. But it's prudent to disable direct root logins at the SSH level as well.
PermitRootLogin noAlso ensure to have privilege separation enabled where the daemon is split into two parts. With privilege separation a small part of the code runs as root and the rest of the code runs in a chroot jail environment.
UsePrivilegeSeparation
yes
Since
SSH protocol version 1 is not as secure you may want to limit the protocol to
version 2 only:
Protocol
2
You
may also want to prevent SSH from setting up TCP port and X11 forwarding if you
don't need it:
AllowTcpForwarding
no
X11Forwarding
no
Ensure
the StrictModes directive is enabled which checks file permissions and
ownerships of some important files in the user's home directory like ~/.ssh,
~/.ssh/authorized_keys etc. If any checks fail, the user won't be able to
login.
StrictModes
yes
Ensure
that all host-based authentications are disabled. These methods should be
avoided as primary authentication.
IgnoreRhosts
yes
HostbasedAuthentication
no
RhostsRSAAuthentication
no
Disable
sftp if it's not needed:
#Subsystem
sftp /usr/lib/misc/sftp-server
After
changing any directives make sure to restart the sshd daemon:
/etc/init.d/sshd
restart
No comments:
Post a Comment