April 09, 2022

Six Ways to Protect SSH Access on Your System

In this article, we shield the most common SSH key. You can make your servers more secure. By modifying the default SSH port, operating key pairs, and following the other recommended best practices, you can significantly enhance the overall security of your system. 


The SSH (Secure Shell) protocol is a method for connecting remote login from one computer to another. An SSH Key is allowed to secure system administration and file transfers over unsure networks using encryption to secure the connections between endpoints.

putty key

An SSH key is a grant, automated and enables remote access to the digital core of almost every enterprise. An SSH protocol is for primary financial institutions, global industries, tech giants, and governments to function securely. 

I'm going to take you in eight steps to help you secure the SSH service on your network. I think we all value the importance of SSH. It helps us to connect to and from Linux devices, Unix servers, network appliances, and sometimes even Windows boxes. I'm going to provide a solid checklist you can operate to ensure SSH services in your environment are locked down.

What is SSH? 

Secure Shell, or SSH, is a protocol used to connect remotely and also securely to any computer. This protocol is broadly speaking, an enhanced version of Telnet.

putty key

In addition to encrypting point-to-point connections so that no one can notice or block them (something that neither Telnet and FTP offer), what we will be able to do with this protocol is:
  • To connect remotely to any PC and control it by commands. 
  • Transfer files safely and individually, simultaneously. 
  • Manage RSA keys so don’t need to use passwords. 
  • You can run applications in graphical mode remotely.
This is one of the standard and most widely used protocols when it comes to connecting remotely to servers and other computers, especially Linux and windows.


Download and Install PuTTY and PuTTYgen 

For accessing the ssh key on your system putty is the best software. PuTTY key is a key generator tool for making pairs of public and private SSH keys. PuTTY is good in network file transfer applications, serial consoles, and open-source terminal eliminators. 

PuTTY is offered the facility of files sharing, manipulating data, etc.SSH, Telnet, SCP, SFTP, Serial, etc., are the various network protocol helped by it. "psftp’ is a command-line tool that allows the transfer of a file securely between computers over SSH connections.

putty key

PuTTYgen and putty is very quick processor software. Both PuTTY and PuTTYgen are required to convert OpenSSH keys and attach them to the server over SSH. These two tools can be downloaded separately or, preferably, as a Windows installer from the PuTTY Download Page.

Once the PuTTY is downloaded then install it, double-click the executable in the Download folder and follow the installation wizard. The default settings are appropriate for most installations. Both PuTTY and PuTTYgen should now be available from the Windows Programs list.

Way to Protect SSH Access on the System

putty key

Here, we discuss the 6 ways to protect SSH on your system. 

1. Backup the config file 

First, back up the configuration file before making primary changes. This is a common piece of advice, but it's a real one. It's easy, takes only a moment and covers you in case of an error when editing the file. And who hasn't created a mistake in Vim? 

# cp /etc/ssh/sshd_config ~/sshd_config_original
 
See, that is not so bad. Challenge - Do you always back up configuration files before creating edits?

2. Set a banner message 

Admittedly, this is as much about legal requirements as anything else, but again, this setting only takes a moment. You can provide some pretty good information in banner messages, too. 

First, we'll write the banner message in the /etc/issue.net file by using Vim. Then we'll open the sshd_config file and tell it to use the content of issue.net as the banner.

 # vim /etc/issue.net 
Warning! 

Authorized use only. This server is the property of MyCompanyName.com You'll want to come up with something specific to your organization. Remove any information that's already in the issue.net file. 

Next, tell SSH to use the banner message. Open the sshd_config file in Vim, and find the line that reads Banner.

Do you remember that you can use the forward-slash character in Vim's command mode, to keyword-search the file? right. 

For example, /banner # vim /etc/ssh/sshd_config 

Find the line that reads # no default banner path, and then uncomment the next line (it says Banner).

3. Prevent empty Passwords 

This seems like a no-brainer, but empty passwords are a bad idea. You may have other utilities, such as Pluggable Authentication Modules (PAM), regulating your regular passwords, but it's also a good idea to complete sure SSH enforces responsible security settings, too. 

Open the /etc/ssh/sshd_config file in Vim, and then find the line that reads PermitEmptyPasswords. Uncomment it, and replace the Yes value with No.

4. Prevent the root user from crossing the network via SSH 

The idea here is pretty straightforward. Send standard user credentials across the network instead of root credentials. Once you've established your SSH connection using a standard user account, use su or sudo to elevate your privileges. 

Open the SSH configuration file, and then uncomment the PermitRootLogin line. Edit the setting from yes to no. PermitRootLogin no Challenge - your organization has embraced sudo, right?


5.No more port 22 

Another common change is to configure SSH to listen on a different port than the standard 22/TCP that we've all memorized. There's already an entry in the sshd_config file

You can comment out the default port setting and add another line, as I've done below: #Run SSH on a non-standard port #Port 22 Port 2222 You must remember to append the new non-standard port number to your SSH connection attempts from this point on. 
For example: 

# ssh -p 2222 user1@10.1.0.42 

Challenge - do you have the same non-standard port number configured for all your SSH destinations? Consistency will make your life much easier.

6. Time's up! 

The server transmits a message to the client and expects a response. The ClientAliveIntervalConclusion I have listed several effective SSH configurations to help you better secure your environment. 

Remember that with security, no one setting is likely to protect your devices. 

 The ClientAliveCountMax defines how many times the server will do this before deciding the client isn't really there anymore.

 Here is an example configuration that checks every 60 seconds and will do so three times: 

ClientAliveInterval 60 
ClientAliveCountMax 3

 Note: If you're operating SSH to tunnel for other connections, you may need to ensure that the interval is long enough to properly support whatever other applications are using it. 

There is a Server Alive Interval value that you can configure on the client-side, too. This authorizes clients to drop connections to non-responsive SSH servers.

Conclusion 

I have listed several effective SSH configurations to help you better secure your environment. Remember that with security, no one setting is likely to protect your devices. 

I strongly suggest that you carefully manage your keys, if you implement key-based authentication.

Posted by: PuTTYgen at 07:53 AM | Comments (9) | Add Comment
Post contains 1185 words, total size 12 kb.

<< Page 1 of 1 >>
27kb generated in CPU 0.0097, elapsed 0.0361 seconds.
32 queries taking 0.023 seconds, 59 records returned.
Powered by Minx 1.1.6c-pink.