We’ll be using a fresh AWS EC2 instance running Ubuntu 16.04 for our examples. If you’re running a virtual server in Azure, Digital Ocean, or some other hosting provider, you’ll want to check out how the equivalent of AWS security groups are configured. And of course, these techniques can also be applied to non-virtual systems.<\/p>\n
AWS Security Groups<\/h3>\n
The first step in hardening your SSH server is applying a more restrictive security group to your instance. Think of AWS security groups as custom firewalls you can apply to your instance. Even better, these custom firewalls can apply source-based filtering rules that only allow traffic from subnets or hosts you specify.<\/p>\n
Subnet-based rules provides for rules like “Only allow SSH traffic from my development team’s network 10.90.4.0\/24” If your internal network is segregated and configured such that developers must authenticate to receive a 10.90.4.0\/24 IP address, an additional safeguard is added.<\/p>\n
A host-based rule will only allow traffic from a given host (strictly speaking, a given IP address; if a host is behind a NAT then any hosts also behind that NAT will be allowed). This is what we’ll use.<\/p>\n
In the above example, we’ve created a security group Another technique you can use to harden your SSH server is ensuring that the latest strong key exchange<\/a> protocols, ciphers<\/a>, and message authentication code<\/a> (MAC) algorithms are utilized.<\/p>\n We’ve used several references as a guide to hardening SSH, including Mozilla’s OpenSSH Guidelines<\/a> as well as ssh-audit<\/a>, a nice tool designed specifically for this task. Using [code lang=text] Our first pass uncovers a number of issues:<\/p>\n Let’s look at changes we want to make to our Restart your SSH daemon with Once we’ve updated our Nice! Strong key exchange, encryption, and MAC algorithms all around.<\/p>\n If you’re looking for a simple SSH daemon configuration, look no further:<\/p>\n There are different interpretations as to what constitutes two-factor or multi-factor authentication. Many believe that two-factor authentication implies an additional authentication code delivered via text message or provided by a key fob<\/a>. Others may consider the steps taken to obtain access to a given computing resource as a part of the authentication steps (e.g., to obtain access to a given server you must get past the security guard, provide a retinal scan, and so on). In this example, we’re going to use the former interpretation.<\/p>\n We’ve chosen to use Authy<\/a> in this example for two-factor authentication using a time-based one time password<\/a>. To get started, install the Authy application on your phone (iOS or Android) and follow the quick-start prompts.<\/p>\n After you’ve successfully set up the application on your phone, you can download the app to your desktop or add it to Google Chrome.<\/p>\n To use the authentication code provided by Authy to add an additional authentication step for SSH logins requires installing the Install the module with Now, as a user that needs to use two-factor authentication, run There are additional prompts from the application to follow:<\/p>\n [code lang=text] Do you want to disallow multiple uses of the same authentication By default, tokens are good for 30 seconds and in order to compensate for If the computer that you are logging into isn't hardened against brute-force NB<\/em>: It is a good<\/em> idea to save your emergency scratch codes in the event you lose access to the devices that are generating your OTPs.<\/p>\n Now that you’ve configured the authenticator, it’s time to update Open [code lang=text] Restart Now, in Once the Try logging in via Enter the code displayed on your Authy app (note that all of your Authy apps will display the same code for the same application configuration) to login.<\/p>\n![\"private-ssh-sg\"](\"http:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2017\/11\/private-ssh-sg.png\")
<\/a><\/p>\nprivate-ssh-sg<\/code> and added a single Inbound rule that allows traffic on port 22 from a specific IP address. This will effectively only allow packets whose source IP is specified in that rule to reach port 22 of the instance.<\/p>\nSSH Cipher Strength<\/h2>\n
ssh-audit<\/code> is as easy as<\/p>\n
\n$ git clone https:\/\/github.com\/arthepsy\/ssh-audit
\n$ cd ssh-audit
\n$ .\/ssh-audit.py your.ip.address.here
\n[\/code]<\/p>\n![\"sshaudit\"](\"http:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2017\/11\/sshaudit.png\")
<\/a><\/p>\n\n
ssh-audit<\/code> goes on to recommend the key exchange, host key, and MAC algorithms to remove.<\/p>\n\/etc\/ssh\/sshd_config<\/code> file:<\/p>\nProtocol 2\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\n\nKexAlgorithms curve25519-sha256@libssh.org\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n<\/pre>\n
sudo systemctl restart ssh<\/code>. Note<\/em>: It’s a good idea to have a second terminal logged in if you bork your SSH configuration and lock yourself out of your instance.<\/p>\nsshd_config<\/code> configuration, it’s time to run an audit against it.<\/p>\n![\"Shell\"](\"http:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2017\/11\/Shell.png\")
<\/a><\/p>\nHostKey \/etc\/ssh\/ssh_host_ed25519_key\nPasswordAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes\nX11Forwarding yes\nPrintMotd no\nAcceptEnv LANG LC_*\nKexAlgorithms curve25519-sha256@libssh.org\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com<\/pre>\n
Two-Factor Authentication<\/h2>\n
Authy<\/h3>\n
Getting Your EC2 Instance Ready<\/h3>\n
libpam-google-authenticator<\/code> module and configuring both SSH and PAM.<\/p>\nsudo apt-get install libpam-google-authenticator<\/code>.<\/p>\ngoogle-authenticator<\/code> to get set up. The application will generate several prompts, the first of which is Do you want authentication tokens to be time-based<\/code> to which you’ll answer “yes”<\/p>\ngoogle-authenticator<\/code> will then generate QR-code that you can scan with the Authy phone application, as well as a secret key that can be used with the phone, desktop, or browser application. When using the desktop application I prefer just copy-paste of the secret key.<\/p>\n
\nDo you want me to update your "\/home\/ubuntu\/.google_authenticator" file (y\/n) y<\/p>\n
\ntoken? This restricts you to one login about every 30s, but it increases
\nyour chances to notice or even prevent man-in-the-middle attacks (y\/n) y<\/p>\n
\npossible time-skew between the client and the server, we allow an extra
\ntoken before and after the current time. If you experience problems with poor
\ntime synchronization, you can increase the window from its default
\nsize of 1:30min to about 4min. Do you want to do so (y\/n) n<\/p>\n
\nlogin attempts, you can enable rate-limiting for the authentication module.
\nBy default, this limits attackers to no more than 3 login attempts every 30s.
\nDo you want to enable rate-limiting (y\/n) y
\n[\/code]<\/p>\nsshd_config<\/code> to consult the PAM Google Authenticator module when a user attempts to log in.<\/p>\n\/etc\/ssh\/sshd_config<\/code> as root, and set the following:<\/p>\n
\nChallengeResponseAuthentication yes
\nPasswordAuthentication no
\nAuthenticationMethods publickey,keyboard-interactive
\n[\/code]<\/p>\nssh<\/code> with sudo systemctl restart ssh<\/code>.<\/p>\n\/etc\/pam.d\/sshd<\/code> replace the line @include common-auth<\/code> with auth required pam_google_authenticator.so<\/code>.<\/p>\nsshd<\/code> PAM module has been configured in this manner users will be challenged for a two-factor authentication code, so it’s important that every user on the system be configured with the google-authenticator<\/code> application.<\/p>\nTest your login!<\/h3>\n
ssh<\/code> with the user you’ve just configured for two-factor authentication. You should receive a prompt requesting a verification code (after your key is authenticated).<\/p>\n![\"enter_code\"](\"http:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2017\/11\/enter_code.png\")
<\/a><\/p>\n
![\"code_entered\"](\"http:\/\/dev.iachieved.it\/iachievedit\/wp-content\/uploads\/2017\/11\/code_entered.png\")
<\/a><\/p>\n