Hardening SSH server security

After the initial setup of your Raspberry Pi, you can adjust SSH security settings following recommendations on these websites [link1, link2, link3, link4, link5] and YouTube tutorials [video1, video2, video3, video4]. For a general introduction into Linux security, you may find Udemy course by Jason Cannon quite useful.

All remote authentications via SSH are logged to your Raspberry Pi and you can review them by running the following command:

$sudo cat /var/log/auth.log

As the SSH port is now opened on the router, one can immediately start seeing some failed SSH login attempts [link1, link2, link3, link4] and “POSSIBLE BREAK-IN ATTEMPT!” messages in the auth.log file.

Since only RSA keys authentication is being used instead of password authentication, we should be protected against brute force attacks of bots. Nevertheless, you can ban the IP addresses of the originators of such attacks using fail2ban. To install this program enter:

$ sudo apt-get install fail2ban

fail2ban works on SSH only and the default configuration bans the suspicious IP after 6 unsuccessful attempts for 600 seconds. You can check the config file here:

$ sudo nano /etc/fail2ban/jail.conf

This configuration file should be left untouched though. You can customize settings in jail.local file, which will override those in the default jail.conf:

$ sudo nano /etc/fail2ban/jail.local
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
bantime = -1
banaction = iptables-allports
findtime = 604800
maxretry = 2

The example above will permanently (-1) ban a suspicious IP address after 2 unsuccessful login attempts. Moreover, it will ban access for this IP on all ports (iptables-allports). Bantime is in seconds (604800 = 7 days, 2678400 = 31 days), permanent ban = -1. Findtime is set to 7 days and it’s the time that the maximum number of retries (maxretry) applies to.

Note that all bans will be cleared upon restarting fail2ban or rebooting the server. So if you get banned yourself, you can just reboot the system. Once you have edited the configuration file, restart fail2ban:

$ sudo service fail2ban restart

In case you are not happy that all bans disappear from iptables after each reboot, you can add the line below into /etc/fail2ban/action.d/iptables-allports.conf file to the actionstart:

cat /etc/fail2ban/ip.list-<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

and following line to the actionban:

echo '<ip>/24' >> /etc/fail2ban/ip.list-<name>

These commands log the banned IP addresses to the /etc/fail2ban/ip.list-ssh file and after restart the contents of this file are added to the iptables.

To view banned IP addresses check these files:

$ sudo cat /etc/fail2ban/ip.list-ssh
$ cat /var/log/fail2ban.log

Review iptables as numbered lists with the following command:

$ sudo iptables -L -n --line

If you wish to unban any IP, put the number of the actual line of IP address you want to remove:

$ sudo iptables -D fail2ban-ssh 1

 

Another security hardening recommendation, a.k.a security through obscurity [link1, link2, link3, link4], would be changing the default SSH port 22 to something different e.g. 222, 9001, 31415.

In case you decide to go this path, you will need to adjust port-forwarding on your router, ufw/iptables and the respective configuration files (e.g. sshd_config, jail.local). Also remember to specify the selected port when connecting via ssh:

$ ssh pi@192.168.2.102 -p 31415

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.