{"id":79,"date":"2010-01-26T05:11:06","date_gmt":"2010-01-26T05:11:06","guid":{"rendered":"http:\/\/poojanwagh.opalstacked.com\/techblog\/?p=79"},"modified":"2010-01-26T05:12:12","modified_gmt":"2010-01-26T05:12:12","slug":"locking-down-a-publicly-exposed-ssh-server","status":"publish","type":"post","link":"https:\/\/tech.poojanblog.com\/blog\/unix-linux\/locking-down-a-publicly-exposed-ssh-server\/","title":{"rendered":"Locking down a publicly-exposed ssh server"},"content":{"rendered":"

I expose an ssh server to the internet. This allows me to sync up git or hg repositories under a secure connection (without requiring SSL)–but more importantly, keeping the data stored in those repositories under my control.
\nSince I’m fairly paranoid about security, I chose a random port number (my router routes the random public port to the usual internal port: 22). In addition, I disable password login, which means that I can only log-in using an ssh key. More importantly, other people can’t login using passwords–which means that there’s not possibility of a dictionary (nor simple brute-force) attack.
\nHere’s the sshd_config<\/code> file for FreeBSD that does this:
\n
\n#\t$OpenBSD: sshd_config,v 1.74 2006\/07\/19 13:07:10 dtucker Exp $
\n#\t$FreeBSD: src\/crypto\/openssh\/sshd_config,v 1.42.2.4 2006\/11\/11 00:51:28 des Exp $<\/p>\n

# This is the sshd server system-wide configuration file. See
\n# sshd_config(5) for more information.<\/p>\n

# This sshd was compiled with PATH=\/usr\/bin:\/bin:\/usr\/sbin:\/sbin<\/p>\n

# The strategy used for options in the default sshd_config shipped with
\n# OpenSSH is to specify options with their default value where
\n# possible, but leave them commented. Uncommented options change a
\n# default value.<\/p>\n

# Note that some of FreeBSD’s defaults differ from OpenBSD’s, and
\n# FreeBSD has a few additional options.<\/p>\n

#VersionAddendum FreeBSD-20061110<\/p>\n

#Port 22
\n#Protocol 2
\n#AddressFamily any
\n#ListenAddress 0.0.0.0
\n#ListenAddress ::<\/p>\n

# HostKey for protocol version 1
\n#HostKey \/etc\/ssh\/ssh_host_key
\n# HostKeys for protocol version 2
\n#HostKey \/etc\/ssh\/ssh_host_dsa_key<\/p>\n

# Lifetime and size of ephemeral version 1 server key
\n#KeyRegenerationInterval 1h
\n#ServerKeyBits 768<\/p>\n

# Logging
\n# obsoletes QuietMode and FascistLogging
\n#SyslogFacility AUTH
\n#LogLevel INFO<\/p>\n

# Authentication:<\/p>\n

#LoginGraceTime 2m
\n#PermitRootLogin no
\n#StrictModes yes
\n#MaxAuthTries 6<\/p>\n

#RSAAuthentication yes
\n#PubkeyAuthentication yes
\n#AuthorizedKeysFile\t.ssh\/authorized_keys<\/p>\n

# For this to work you will also need host keys in \/etc\/ssh\/ssh_known_hosts
\n#RhostsRSAAuthentication no
\n# similar for protocol version 2
\n#HostbasedAuthentication no
\n# Change to yes if you don’t trust ~\/.ssh\/known_hosts for
\n# RhostsRSAAuthentication and HostbasedAuthentication
\n#IgnoreUserKnownHosts no
\n# Don’t read the user’s ~\/.rhosts and ~\/.shosts files
\n#IgnoreRhosts yes<\/p>\n

# Change to yes to enable built-in password authentication.
\nPasswordAuthentication no
\n#PermitEmptyPasswords no<\/p>\n

# Change to no to disable PAM authentication
\nChallengeResponseAuthentication no<\/p>\n

# Kerberos options
\n#KerberosAuthentication no
\n#KerberosOrLocalPasswd yes
\n#KerberosTicketCleanup yes
\n#KerberosGetAFSToken no<\/p>\n

# GSSAPI options
\n#GSSAPIAuthentication no
\n#GSSAPICleanupCredentials yes<\/p>\n

# Set this to ‘no’ to disable PAM authentication, account processing,
\n# and session processing. If this is enabled, PAM authentication will
\n# be allowed through the ChallengeResponseAuthentication and
\n# PasswordAuthentication. Depending on your PAM configuration,
\n# PAM authentication via ChallengeResponseAuthentication may bypass
\n# the setting of “PermitRootLogin without-password”.
\n# If you just want the PAM account and session checks to run without
\n# PAM authentication, then enable this but set PasswordAuthentication
\n# and ChallengeResponseAuthentication to ‘no’.
\n#UsePAM yes<\/p>\n

#AllowTcpForwarding yes
\n#GatewayPorts no
\n#X11Forwarding yes
\nX11Forwarding\tno
\n#X11DisplayOffset 10
\n#X11UseLocalhost yes
\n#PrintMotd yes
\n#PrintLastLog yes
\n#TCPKeepAlive yes
\n#UseLogin no
\n#UsePrivilegeSeparation yes
\n#PermitUserEnvironment no
\n#Compression delayed
\n#ClientAliveInterval 0
\n#ClientAliveCountMax 3
\n#UseDNS yes
\n#PidFile \/var\/run\/sshd.pid
\n#MaxStartups 10
\n#PermitTunnel no
\nPermitTunnel no<\/p>\n

# no default banner path
\n#Banner \/some\/path<\/p>\n

# override default of no subsystems
\nSubsystem\tsftp\t\/usr\/libexec\/sftp-server<\/p>\n

# restrict users\/IP’s
\nAllowUsers *@192.168.1.* Poojan@*<\/p>\n

# Example of overriding settings on a per-user basis
\n#Match User anoncvs
\n#\tX11Forwarding no
\n#\tAllowTcpForwarding no
\n#\tForceCommand cvs server
\n<\/code>
\nI’ve disabled all authentication types (including PAM)–at least the ones that aren’t disabled by default. Since public key authentication is on by default, I don’t have to change it.<\/p>\n

You’ll notice that I’ve disabled tunneling (to disable people from penetrating past the FreeBSD machine into my home network) and chosen not to enable X forwarding (no need for it in this case).<\/p>\n