 What is OpenSSH?

 OpenSSH is a free open source set of computer tools used to provide secure and
encrypted communication over a computer network by using the ssh protocol. Many
people, new to computers and protocols, create a misconception about OpenSSH, they
think it is a protocol, but it is not, it is a set of computer programs that use the ssh
protocol.

 The most important reason why should use OpenSSH tools over ftp and telnet is that all
communications and user credentials using OpenSSH are encrypted, they are also
protected from man in the middle attacks. If a third party tries to intercept your
connection, OpenSSH detects it and informs you about that.

Shikhar Verma 1
 What Are Some Of The OpenSSH Features?

Secure Communication
Strong Encryption (3DES, Blowfish, AES, Arcfour)
Port Forwarding (encrypted channels for legacy protocols)
Strong Authentication (Public Key, One-Time Password and Kerberos Authentication)
Agent Forwarding (Single-Sign-On)
Interoperability (Compliance with SSH 1.3, 1.5, and 2.0 protocol Standards)
SFTP client and server support in both SSH1 and SSH2 protocols.
Kerberos and AFS Ticket Passing
Data Compression

Shikhar Verma 2
 OpenSSH options are controlled through the /etc/ssh/sshd_config file.

1. Disable Root Login (PermitRootLogin)

By default you can ssh to the server as root. It is best not to allow root to login directly to
the server. Instead, you should login to the system as your account and then do ‘su -‘ to
login as root.

Add the following entry to sshd_config to disable root to login to the server directly.

$ vi /etc/ssh/sshd_config
PermitRootLogin no

Shikhar Verma 3
 OpenSSH options are controlled through the /etc/ssh/sshd_config file.

2. Allow Only Specific Users or Groups (AllowUsers AllowGroups)

By default anybody who is authenticated successfully are allowed to login. Instead you can
restrict which users (or groups) you allow to login to the system.

vi /etc/ssh/sshd_config
AllowUsers ramesh john jason

In the exampe below only users who belong to sysadmin and dba group can login to the
system.

$ vi /etc/ssh/sshd_config
AllowGroups sysadmin dba
Shikhar Verma 4
OpenSSH options are controlled through the /etc/ssh/sshd_config file.

3. Deny Specific Users or Groups (DenyUsers DenyGroups)

Add the following entry to the sshd_config file to deny specific users to login to the system.
In the example below cvs, apache, jane cannot login to this system. Usernames should be
separated by space.

$ vi /etc/ssh/sshd_config
DenyUsers cvs apache jane

Shikhar Verma 5
OpenSSH options are controlled through the /etc/ssh/sshd_config file.

3. Deny Specific Users or Groups (DenyUsers DenyGroups)

In the exampe below users who belong to developers and qa group cannot login to the
system.

$ vi /etc/ssh/sshd_config
DenyGroups developers qa

Note: You can use combination of all the Allow and Deny directivies. It is processed in this
order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups

Shikhar Verma 6
OpenSSH options are controlled through the /etc/ssh/sshd_config file.

4. Change SSHD Port Number (Port)

By default ssh runs on port 22. Most of the attackers will check if a server is open on port 22,
and will randomly use brute force to login to the server using several username and
password combination.

$ vi /etc/ssh/sshd_config
Port 222

From your logs (/var/log/secure), if you see lot of invalid logins using ssh for accounts that
don’t exist on your system, from the
ip-address that you don’t recognize, it migth be some brute-force attack. Those kind of ssh
invalid login will stop, if you change the port number.

Shikhar Verma 7
OpenSSH options are controlled through the /etc/ssh/sshd_config file.

5. Change Login Grace Time (LoginGraceTime)

When you ssh to a server, you have 2 minutes to login. If you don’t successfully login within
2 minutes, ssh will disconnect.

Add the following entry to the sshd_config file to change the login grace time from 2 minutes
to 1 minute.

$ vi /etc/ssh/sshd_config
LoginGraceTime 1m

Shikhar Verma 8
 OpenSSH options are controlled through the /etc/ssh/sshd_config file.

6. Restrict the Interface (IP Address) to Login (ListenAddress)

If you have multiple interfaces on the server that are configured to different ip-address, you
might not want everybody to login to the server using all those ip-address.

Let us assume that you have the following 4 interfaces on the server:

eth0 – 192.168.10.200
eth1 – 192.168.10.201
eth2 – 192.168.10.202
eth3 – 192.168.10.203

Shikhar Verma 9
 OpenSSH options are controlled through the /etc/ssh/sshd_config file.

6. Restrict the Interface (IP Address) to Login (ListenAddress)

By default ssh will listen on all of the above ip-addresses. If you want users to login only
using ip-address 200 and 202, do the following in your sshd_config

$ vi /etc/ssh/sshd_config
ListenAddress 192.168.10.200
ListenAddress 192.168.10.202

Shikhar Verma 10
 OpenSSH options are controlled through the /etc/ssh/sshd_config file.

7. Disconnect SSH when no activity (ClientAliveInterval)

Once you’ve successfully logged in to the system, you might want to get disconnected when
there are no activities after x number of minutes. This is basically idle timeout.

If you want ssh client to exit (timeout) automatically after 10 minutes (600 seconds), modify
the sshd_config file and set the following two parameters as shown below.

$ vi /etc/ssh/sshd_config
ClientAliveInterval 600
ClientAliveCountMax 0

Shikhar Verma 11
LAB Session

Shikhar Verma 12
END of this Course Module.

Thanks

13