Top 20 OpenSSH Server Best Security Practices February 18th, 2010
OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.
Default Config Files and SSH Port
- /etc/ssh/sshd_config - OpenSSH server configuration file.
- /etc/ssh/ssh_config – OpenSSH client configuration file.
- ~/.ssh/ – Users ssh configuration directory.
- ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
- /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
- /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
- SSH default port : TCP 22
SSH and Port Forwarding or How to get through a firewall July 1st, 2009
In this article I’m going to show you how you can use SSH Port Forwarding to access a service a firewall might be blocking.
As an example, I’m going to take the one from a campus blocking access to IRC servers usually running on port 6667, but letting the SSH port 22 unblocked.
The idea here is: because we can connect to a remote host on port 22, why not telling this machine to forward all the incoming traffic to the remote host we want to connect to in the first place.
So here is the configuration. We are using a computer in a campus which blocks external access to port 6667, but leaves port 22 opened.
We have a known host (let’say your home computer) with ssh port 22 opened.
Here is a graph representing the configuration:
As you can see, we are going to use a longer path to connect to the IRC server by connecting to our home computer. Doing a Port Forwarding, we will create a tunnel between our local machine on port 1234 and the IRC server on port 6667. This way, we will be able to connect to the IRC network by simply connected on our local machine on port 1234.
Let’s get into the command line now. Firstly, we need to create the tunnel. To do so, connect to your home computer by SSH and forward your port 1234 on localhost to the IRC server (here irc.freenode.net) on port 6667.
tester@laptop:~$ssh email@example.com -L 1234:irc.freenode.net:6667
Now, our tunnel is created (the purple connection on the graph) and port 1234 is open on localhost. The only thing left, is to connect to IRC using your favorite IRC client and provide it with the server located at localhost:1234.
In this example I’m going to connect to it using irssi, a text mode client for IRC network.
tester@laptop:~$ irssi -c localhost -p 1234
and here is what we get…
hey, hey, we are connected to freenode.net .
Basically, you could use this trick to access any type of service. The only thing it require is to be able to connect to a remote machine outside of the firewalled network.
Thanks to Author, orignal link http://www.debuntu.org/2006/04/08/22-ssh-and-port-forwarding-or-how-to-get-through-a-firewall