Random SSH server notes.
server config tips
- Disable password logins and only use SSH-Keys
- Change the “AuthorizedKeysFile” setting in sshd_config and use a random filename to help prevent automatic key injection attacks
- “LogLevel DEBUG” Is useful but be aware that it logs all requests while browsing through a ssh socks proxy (having your web history stored in the system logs might not be a desired thing)
- Set all of SSH config files as immutable (chattr +i)
Add additional factors of authentication:
- Use an OpenPGP Web of trust with SSH http://web.monkeysphere.info/
- Google authenticator offers two-factor authentication for SSH.
- Gatekeeper script run by the ForceCommand option in SSHD https://calomel.org/openssh_gatekeeper.html
Hiding your server
If you have an open port for ssh change the default number
- Only allowing static IP’s is ideal but also a luxury
- Firewall rules to allow/block traffic by country. Use Maxminds or blockfinder to get the IP blocks.
- For even further refinement (less iptables rules) it’s not too hard to run a whois on every IP block in a small country and then grep through the results for ISP’s you want to whitelist.
- Port knocking to hide your server.
- Can be done with just iptables rules.
- I like the way knock-knock implements this. Might be difficult if you are behind a firewall that restricts outbound traffic, so have common ports available for knocking on if you suspect that might be the situation.
- Multiplexing SSH connections and http with sshttp. If a webserver is not required introducing this increases the attack surface. Might not work where http is being transparently routed through a proxy and interfered with, but this is a good indication you’re on a hostile network.
Proxy SSH over
Proxy SSH over SSL with Stunnel, useful for beating firewalls
Obfsproxy can completely obscure any protocol and works well with SSH. Deep packet inspection has been used before by ISPs to detect and throttle or block encrypted connections.
SSH over the Tor network via means of hidden services. Unfortunately this can be rather slow, the latency can be painful.
SSH over dns and icmp tunnelling. Commonly (more so the former) used to beat captive portals on wireless hotspots. Can be hard for hotspot operators to defend against this (the majority do not).