Most automated robots try to log into your SSH server on Port 22 as Administrator with various brute force and dictionary combinations in order to gain access to your data. Furthermore, automated robots can put enormous loads on your server as they perform thousands of retries to break into your system. This topic addresses steps to secure your SSH server against potential threats, including changing the default port for SSH connections from TCP/22 to TCP/33001.
It is well known that SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject to countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effective deterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535). To standardize the port for use in Aspera transfers, we recommend using TCP/33001.
Note that your Aspera transfer product ships with OpenSSH listening on both TCP/22 and TCP/33001. As such, Aspera recommends only exposing TCP/33001 through your organization's firewall and disabling TCP/22.
The following explains how to change the SSH port to 33001 and take additional steps to secure your SSH server. The steps all require Administrator access privileges.
The SSH configuration file can be found in the following location:
C:\Program Files[ (x86)]\Aspera\Enterprise Server\etc\sshd_config
The OpenSSH suite included in the installer uses TCP/22 and TCP/33001 as the default ports for SSH connections. Aspera recommends disabling TCP/22 to prevent security breaches of your SSH server.
Save a backup of the /System/Library/LaunchDaemons/ssh.plist file to ssh.plist.bak, then edit ssh.plist to use the second SSH port (which is demonstrated in the sample below).
To apply the changes, restart your SSH service. Restarting your SSH server does not impact currently connected users. To restart the SSH server, go to Remote Login from the left panel. Under Allow access for:, select All users, or specify individual user accounts for the FASP connections.. Uncheck and then re-check
Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disable port 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment out "Port 22" in your sshd_config file.
... #Port 22 Port 33001 ...
To make an impromptu connection to TCP/33001 during an ascp session, specify the SSH port (33001) with the -P (capital P) flag. Note that this command does not alter ascp or your SSH server's configuration.
> ascp -P 33001 ...
In OpenSSH versions 4.4 and newer, disable SSH tunneling to avoid potential attacks; thereby only allowing tunneling from Administrator group users. To disable non-admin SSH tunneling, open your SSH Server configuration file, sshd_config, with a text editor.
Add the following lines to the end of the file (or modify them if they already exist):
... AllowTcpForwarding no MatchGroupAdministrators AllowTcpForwarding yes
Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable as appropriate.
Public key authentication can prevent brute-force SSH attacks if all password-based authentication methods are disabled. For this reason, Aspera recommends disabling password authentication in the sshd_config file and enabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes and comment out PasswordAuthentication yes.
... PubkeyAuthentication yes #PasswordAuthentication yes PasswordAuthentication no ...
When you have finished updating your SSH server configuration, you must restart the server to apply your new settings. Restarting your SSH server will not impact currently connected users. To restart your SSH Server, go to Restart.. Locate the OpenSSH Service and click
Aspera recommends reviewing your SSH log periodically for signs of a potential attack. Launch sshd in the Event source menu to display only SSH Server events. You may also apply other conditions when needed.. To see only SSH Server events, select to bring up the filter settings. In tab, select
With a filter applied, you can review the logs in the Event Viewer main window, or selectto export a log file using .txt or .csv format.
Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example:
... Mar 10 18:48:02 sku sshd: Failed password for invalid user alex from 188.8.131.52 port 1585 ssh2 ... Mar 14 23:25:52 sku sshd: Failed password for invalid user alice from 184.108.40.206 port 1585 ssh2 ...
If you identify attacks, take the following steps:
These instructions explain one way to change a user account so that it uses the aspshell; there may be other ways to do so on your system.
In the product GUI, go to Configuration > Users > Docroot > Absolute Path. Input a path in the blank field and ensure that Override is checked.
Once you have set the user's docroot, you can further restrict access by disabling read, write and/or browse. You may do so via the product GUI (as shown in the screenshot above).
|Absolute Path||The area of the file system (path) that is accessible to the Aspera user. The default empty value gives a user access to the entire file system.||Path or blank|
|Read Allowed||Setting to true allows users to transfer from the designated area of the file system as specified by the Absolute Path value.||true or false|
|Write Allowed||Setting to true allows users to transfer to the designated area of the file system as specified by the Absolute Path value.||true or false|
|Browse Allowed||Setting to true allows users to browse the directory.||true or false|
To verify the authenticity of the transfer server, the web app passes the client a trusted SSH host key fingerprint of the transfer server. When connecting to the transfer server, the client confirms the server's authenticity by comparing the server's fingerprint with the trusted fingerprint.
To retrieve your fingerprint, run the following command:
> ssh-keygen -l -f ssh_key_filepath
Aspera SSH host keys are located in C:\Program Files[ (x86)]\Aspera\Enterprise Server\etc and named ssh_host_key-type_key.pub.
The output lists the strength of the key, the hash algorithm, the fingerprint, the name of the user and hostname, and the type of key, similar to the following, in which 7qdOwebGGeDeN7Wv+2dP3HmWfP3 is the fingerprint.
2048 SHA1:7qdOwebGGeDeN7Wv+2dP3HmWfP3 SYSTEM@HOST_NAME (RSA)
To set the SSH host key fingerprint, run the following command:
> asconfigurator -x "set_server_data;ssh_host_key_fingerprint,fingerprint"
This command creates a line similar to the following example of the <server> section of aspera.conf:
> sc stop asperanoded > sc start asperanoded