How to secure your SSH connection – Part I

Posted by Madu in Uncategorized Oct 11th, 2009 | no responses

Don’t panic. SSH is secure. But there is nothin wrong with being cautious.
Although Linux systems are inherently much more secure, it doesn’t hurt to add more security.

There are two basic things you can do easily:

  • Use RSA keys and disable password login
  • Restrict SSH connections to your computer

Use RSA keys and disable password login

RSA keys provide security against the man-in-the-middle attacks. You will be generating a key pair; a public key and a private key. The public key will be stored in the server or the remote computer (i.e. the computer you want to connect through SSH), while the private key will be stored in your local computer. Basically what happens is, the data you are sending will be excrypted using your private key (stored in the local computer you’re using) and the when the encrypted data gets to the remote computer, it will use the public key of the key pair and decrypt the data. Since the data between the computers are encrypted,
this can eliminate the man-in-the-middle attack to some extent.

The complete process can be divided into 3 easy steps:

  1. Generate a key pair
  2. Copy the public key to the remote computer
  3. Disable password login

Generate a key pair

The generation of the RSA keys are usually performed in the local computer you are going to use to log in. It is OK to do this in the remote computer too, but the main reason for generating the keys in the local machine is because, we need the public in the remote machine and private key in the local machine. Therefore, if we generate the keys
in the remote machine, then we need to copy the private key to the local machine. Since the private key should be kept securely, it is a good practice to generate the keys in the local machine, because then only the public key needs to be copied.

Generate the keys:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

This will create a 4096-bit key. Omitting the ‘-b’ option will create the default 2048-bit key. ~/.ssh/id_rsa is the filename where your (private) key will be created. Without the -f ~/.ssh/id_rsa it will still create the key in that location since it is the default value, but if you want to change this you can do so by changing the path. This will be needed if you are using keys to login to more than one remote machine.

At this time it will ask you for the file to create to keys. Just press enter and let it create the keys in the default places, makes things much easier. Then it will ask for a passphrase. This is a passphrase for the key. You can choose not to use a passphrase, becasue then when you connect to the remote computer you can directly connect
without entering any passowrd. But in any case using a passphrase for the key is much secure, so it is up to you.

After the keys are generated, there will be two files. If you used the default parameters:

  • Public key in- ~/.ssh/id_rsa.pub
  • Private key in- ~/.ssh/id_rsa

sshot1_

Next we need to copy the public key to the remote computer.

Copy the public key to the remote computer

Now we need to move the public key to the remote computer (assuming you generated the keys in the local computer). There is a special command you can use to automatically move the public key to the remote computer you want.

ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_computer

Using the -i option will automatically move the ~/.ssh/id_rsa.pub file, therefore if you used the default settings, there wouldn’t be a need to mention the ~/.ssh/id_rsa.pub in the command, but just to be on the safe side you can still specify it. Otherwise, if you used another place to store the files, specify that particular point. The username is the account name of the remote machine you want to store the public key in and
the remote_computer is the address of the remote computer, such as the IP address.

Now you will be asked to enter the password for the remote_computer and we are done! The public key will be automatically copied into ~/.ssh/authorized_keys file. If the remote machine already has other public keys, this one will be appended. Using this command has the additional advantage that it automatically imposes the necessary file permission to ~/.ssh and ~/.ssh/authorized_keys.

So if you created the keys in the remote machine itself, you may want to append the generated ~/.ssh/id_rsa.pub file
to the ~/.ssh/authorized_keys file (if there exists one, otherwise you could rename it). And then move the ~/.ssh/id_rsa
file to your local machine. Now we will disable password login and we are done.

Disable password login

Before you disable password login it’s better you understand what would really happen. When you disbale password login, that means you (or any other person want to log into the remote machine) will not be able to do so using the username and the password. Also, you will only be able to log in remotely to the machine from a computer which has a key. Therefore, if you ever need to log in to the remote computer from a computer other than the one you have keys, you wont be able to.
Also, if you want to make another computer to use key-based login, you would not be able to copy the public key remotely because ssh-copy-id needs password login to store the key in the remote computer. So it is very important that you understand the consequences of disbaling password login before you do so.

In any case if you decide to disable the password (which is much secure if you wouldn’t come across such situations you need password login), it is very easy. All you need to do is to edit a line in the /etc/ssh/sshd_config file. This is the configuration file for the SSH server (client configuration will be in /etc/ssh/ssh_config). Change the following line:

#PasswordAuthentication yes

to

PasswordAuthentication no

Finally, don’t forget to restart to ssh. You can do:

sudo /etc/init.d/ssh restart

And there you go. You have a remote computer which only accepts key-based login, therefore greatly reducing the security risk of brute-force attacks on passwords. Next we will restrict the SSH connection from the Iptable.

Restrict SSH connections to your computer

The second method of securing your SSH connection is to limit the number of SSH connections accepted in to the system. There are different alternatives you can use to restrict access but I will show how this could be done with Iptables. I will be doing a seperate discussion on Iptables, therefore a simple explanation here would suffice.

What we actually want to do is to restrict the ip address range that is able to connect via SSH. As the for the disabling the password discussed before, this method also has the consequences of you not being able to SSH to the remote computer from another location that is restricted. So be cautious before you do it. What you can do is to insert a rule to your Iptable like:

iptables -A FIREWALL -i eth0 -p tcp -m tcp –sport 22 –source ! abc.def.gij.klm -j DROP

Here we assume that the local computer you will be using to log in will have the ip abc.def.gij.klm. You can also define subnets.
This rule drops every other SSH request (source-port 22) that is not originating from the defined ip address.

Check back oo the Iptables discussion to learn the basics of rules and chains.

Post to Twitter Tweet This Post



Leave a Reply

Get Adobe Flash playerPlugin by wpburn.com wordpress themes