The SSH remote access service allows remote administration of servers, PCs or network equipment. It is available on both Linux and MAC OS as well as Windows. It allows easy and remote access to equipment, with the privileges of the chosen user.
We will then speak of an SSH server, on which the user, the SSH client, connects.
Often exposed on the Internet, it is necessary to follow some SSH security best practices in order to reduce the risks.
What are the risks?
Several risks exist on an exposed SSH service:
- Weak passwords : unauthorized access through password enumeration attack (bruteforce) ;
- Compromised account : unauthorized access through stolen account (password reuse or keylogger) ;
- Interception of communications: attacker in a Man-in-The-Middle position, for example on a public Wi-Fi;
- Loss of access: single access account blocked;
- Information leaks: obtaining the OS and its version in the service banner;
- Privilege escalation: Stealing SSH sessions from other users;
- Vulnerable service: exploitation of a vulnerability on an outdated SSH server.
Once the service is compromised, attackers will very often deploy a cryptocurrency miner, deface the website or resell access to the server in a network of botnets.
In some cases, the attack can be targeted and give access to the company’s internal network. The hacker will then favor a ransomware attack, data theft or a scam to the president.
Check the security level of your SSH access
An external penetration testensures that it is not possible for an attacker to exploit the SSH service.
In the cas of a jump hostor a bastion, it is advised to perform a whitebox pentest assessment (access to different account levels and to the configuration) in order to test, for example, partitioning between accounts, bypassing network filtering from the SSH server and service configuration.
In order to audit itself the hardening of the algorithms of its SSH services, the Linux tool ssh-audit (https://github.com/jtesta/ssh-audit) can be used.
To install it on Kali Linux:
sudo apt install ssh-audit
ssh-audit -p PORT @IP
For example: ssh-audit -p 2222 127.0.0.1 will test the hardening of the algorithms and report potential CVEs on the server version.
For an audit of the SSH server configuration itself, the Linux Lynistool (https://github.com/CISOfy/lynis) includes SSH checks to increase the level of security. Its use is described in the official documentation: https://cisofy.com/documentation/lynis/get-started/#installation-git. It is therefore sufficient to run Lynis on the SSH server in order to detect potential weaknesses in its configuration.
SSH security best practices
SSH server configuration resides in Linux file /etc/ssh/sshd_config and Windows %programdata%\ssh\sshd_config.
The following principles and configuration points can be used to enhance the security of the SSH service:
✔️ Favor SSH key based authentication rather than by password
-
- PubkeyAuthentication yes
- PasswordAuthentication no
✔️ Protect your SSH key with a complex passphrase
✔️ Do not accept empty passwords
-
- PermitEmptyPasswords no
✔️ Limit the number of invalid authentications
-
- MaxAuthTries 3
✔️ Secure root account
-
- PermitRootLogin no
- PermitRootLogin without-password (allow root login with an SSH key)
✔️ Complement this limit with a system to ban IPs that attack the service
-
- https://doc.ubuntu-fr.org/fail2ban
- Other security solutions (SIEM, SOAR, IPS)
✔️ If possible, create a whitelist of Linux groups or users authorized to connect in SSH:
-
- AllowGroups groupname
- AllowUsers justin sammy vladimir
✔️ Reduce information leaks in the file known_hosts :
-
- HashKnownHosts yes
✔️ Reduce information leaks from the SSH service banner:
-
- DebianBanner no
✔️ Change the default listening port (22) to a non-standard port (and not 2222 either) in order to decrease the “noise” generated by scanners on the Internet
✔️ Protect SSH access with VPN access or restricting the IP addresses you and your providers use when possible
✔️ Consider a “jumphost” architecture when a large number of SSH services must be accessible
For correspondences with the OpenSSH configuration under Windows, see the official documentation: https://docs.microsoft.com/fr-fr/windows-server/administration/openssh/openssh_server_configuration.
Note: these recommendations should be applied according to your needs and your environment, after ensuring that they do not impact access to services.
References: https://www.ssi.gouv.fr/administration/guide/recommandations-pour-un-usage-securise-dopenssh | https://www.ssh-audit.com/hardening_guides.html | https://linux-audit.com/audit-and-harden-your-ssh-configuration/
🛡️ DSecBypass supports you in securing your SSH services during external pentests or internal security audits, with quality services and significant experience in this type of service. Do not hesitate to contact us for additional information and/or a personalized quote 📝.
