PasswordSentry

Home

SSH Security

In my last security article, I discussed FTP security. This time around, I will be discussing hardening your SSH. SSH, also known as Secure Socket Shell, is a network protocol that provides administrators and webmasters with a secure way to access a server, using a SSH client like Putty or SecureCRT, to name a few. Many people tend to take SSH for granted. They see the 'Secure' in SSH, and assume it is hardened by default. Not so. SSH is vulnerable if not properly setup. This is a big problem because SSH allows access to the server which allows the user command line access. For example, they could wipe the hard drive clean with one line: rm -rf /. Or, they could retrieve sensitive data, or install a rootkit which would allow them to access and manipulate the server remotely at a later date. SSH security is of the highest priority. Here are some measures to harden your SSH:

1. First and foremost is to never provide SSH access to any outside party. And within your company or group, limit SSH access to only a select few whom you trust with your life, and whom have a valid reason to have shell access. Especially critical when granting root Normal Shell access.

2. Via WHM / cPanel or comparable control panel, disable SSH Password Authentication.

3. Via WHM / cPanel or comparable control panel, generate SSH Keys (private and public). Download they keys. Configure your SSH client to authenticate using Public Key.

4. Change your SSH password on a regular basis. For example, change your SSH password monthly, or when you suspect that your server has been hacked. When choosing a password, choose a strong password: a random alphanumeric password which also contains special characters. A good tool to generate strong passwords is our PassMeter Tool: https://www.password-sentry.com/passmeter/
When you change your password, you will need to re-generate your SSH Keys, and re-download the new keys for use by your SSH client.

5. Use a IP whitelist. Only grant SSH access on the basis of IP address.

6. For domain-specific SSH accounts (yours and/or reseller accounts), use Jailed Shell Access:  limited and restrictive environment within which they can perform whatever functions they want in relation to file system and server environment.

SSH is an amazing protocol which allows you to do amazing things. But, in the wrong hands, it can be the most dangerous weapon directed against your server. Protect it well, and ensure you harden it like a steel trap.