Securing your SSH Server

Secure your SSH server to prevent potential security risks.

Print this page

Introduction

Keeping your data secure it critically important. Aspera strongly encourages you to take additional steps in setting up and configuring your SSH server so that it is protected against common attacks. Most automated robots will try to log into your SSH server on Port 22 as root, with various brute force and dictionary combinations in order to gain access to your data. Furthermore, automated robots can put enormous loads on your server as they perform thousands of retries to break into your system. This topic addresses steps to take in securing your SSH server against potential threats, including changing the default port for SSH connections from TCP/22 to TCP/33001.

Why Change to TCP/33001?

It is well known that SSH servers listen for incoming connections on TCP Port 22. As such, Port 22 is subject to countless, unauthorized login attempts by hackers who are attempting to access unsecured servers. A highly effective deterrent is to simply turn off Port 22 and run the service on a seemingly random port above 1024 (and up to 65535). To standardize the port for use in Aspera transfers, we recommend using TCP/33001.

IMPORTANT NOTE: You need Root access privileges to perform the steps below.

  1. Locate and open your system's SSH configuration file

    Open your SSH configuration file with a text editor. You will find this file in the following system location:

    /etc/ssh/sshd_config

  2. Add new SSH port

    IMPORTANT NOTE: Before changing the default port for SSH connections, please verify with your network administrators that TCP/33001 is open.

    The OpenSSH suite included in the Enterprise Server installer uses TCP/22 as the default port for SSH connections. Aspera recommends opening TCP/33001 and disabling TCP/22 to prevent security breaches of your SSH server.

    To enable TCP/33001 while your organization is migrating from TCP/22, open Port 33001 within your sshd_config file (where SSHD is listening on both ports). As demonstrated by this exercise, SSHD is capable of listening on multiple ports.

    ...
Port 22
Port 33001
...

    Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disable Port 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment-out Port 22 in your sshd_config file.

    ...
#Port 22
Port 33001
...

  3. Disable non-admin SSH tunneling

    IMPORTANT NOTE: The instructions below assume that OpenSSH 4.4 or newer is installed on your system. For OpenSSH 4.4 and newer versions, the "Match" directive allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. If you are running an OpenSSH version older than 4.4, the "Match" directive will not be available and Aspera recommends updating to the latest version.

    In OpenSSH versions 4.4 and newer, disable SSH tunneling to avoid potential attacks; thereby only allowing tunneling from Root users. To disable non-admin SSH tunneling, add the following lines at the end of the sshd_config file:

    ...
AllowTcpForwarding no
Match Group root
AllowTcpForwarding yes

    Depending on your sshd_config file, you may have additional instances of "AllowTCPForwarding" that are set to the default "Yes." Please review your sshd_config file for other instances and disable as appropriate.

    Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. Please review your user and file permissions, as well as refer to the instructions below on modifying shell access.

  4. Update authentication methods

    Public key authentication can prevent brute force SSH attacks if all password-based authentication methods are disabled. Thus, Aspera recommends disabling password authentication in the sshd_config file and enabling private/public key authentication. To do so, add or uncomment PubkeyAuthentication yes in the sshd_config file and comment out PasswordAuthentication yes.

    ...
PubkeyAuthentication yes
#PasswordAuthentication yes
PasswordAuthentication no
...
  5. Disable Root Login

    OpenSSH defaults to allowing root logins; however disabling root access helps you to maintain a more secure server. Aspera recommends commenting out PermitRootLogin yes in the sshd_config file and adding PermitRootLogin No.

    ...
#PermitRootLogin yes
PermitRootLogin no
...

    Administrators can then utilize the su command if root privileges are needed.

  6. Restart the SSH server to apply new settings

    When you have finished updating your SSH server configuration, you must restart or reload the server to apply your new settings. Restarting or reloading your SSH server will not impact currently connected users. To restart or reload your SSH Server, you may use the following commands:

    OS Version Instructions
    RedHat (restart) 
    $ sudo service sshd restart
    RedHat (reload) 
    $ sudo service sshd reload
    Debian (restart) 
    $ sudo /etc/init.d/ssh restart
    Debian (reload) 
    $ sudo /etc/init.d/ssh reload

  7. Review your user and file permissions

    Permissions determine who can access certain files within your system, thereby making it a critical component of securing your server. By default, all user accounts are allowed to browse and read all files in the server.

    To limit the user's access to a portion of the system, set the user account's shell to use the Aspera secured shell (aspshell) and set a document root for the user. The aspshell permits only the following operations:

    • Run Aspera uploads and downloads to or from this computer.
    • Establish connections in the application and browse, create, delete, rename or list contents.

    You may configure aspshell behavior by editing the aspera.conf file (/opt/aspera/etc/aspera.conf). The following template displays access options:

    <file_system>
   <access>
	  <paths>
		 <path>
			<absolute>/sandbox/$(name)</absolute>      <!-- Absolute Path -->
			<read_allowed>true</read_allowed>          <!-- Read Allowed -->
			<write_allowed>true</write_allowed>        <!-- Write Allowed -->
			<dir_allowed>true</dir_allowed>            <!-- Browse Allowed -->
		 </path>
	  </paths>
   </access>
...
</file_system>

    The following is a list of your Aspera product's Docroot configuration options:

    # Field Description Values Default
    1 Absolute Path The Absolute Path describes the area of the file system that is accessible by Aspera users. The default empty value gives users access to the entire file system. file path blank
    2 Read Allowed Setting this to true allows users to transfer from the designated area of the file system as specified by the Absolute Path value.
    • true
    • false
    		 blank
    3 Write Allowed Setting this to true allows users to transfer to the designated area of the file system as specified by the Absolute Path value.
    • true
    • false
    		 blank
    4 Browse Allowed Setting this to true allows users to browse the directory.
    • true
    • false
    		 blank
  8. Run the asp-check tool to check for potential user-security issues

    The asp-check tool performs the following secure checks:

    • Searches for full-access users and reports how many exist on the system. Note that the existence of full-access users does not necessarily indicate that your system is vulnerable; however, it is being brought to the attention of the System Administrator to ensure that the existence of full-access users is intentional.
    • Searches for restricted users and potential misconfigurations, including incorrect login shell (i.e., one that is not restricted via aspshell); SSH tunnel access (which can be used to work around the restricted shell); and docroot setting that allows the user to access the home directory.

    IMPORTANT NOTE: Docroot setting that allows access to the home directory does not necessarily indicate that your system is vulnerable; however, a user with this docroot can download or upload keys in .ssh, as well as upload .login scripts. These capabilities may be used to circumvent the intended, restricted-nature of the user. Aspera highly recommends setting the docroot under the user's home folder (e.g. /home/jane/data) or in an alternate location (e.g. /data).

    To run the asp-check tool, run the following command in a Terminal window:

    $ sudo /opt/aspera/bin/asp-check.sh

    Your search results will appear in the Terminal window, as shown in the example below. If potential issues have been identified, please review your users' settings before proceeding.

    Users with full access: 22 (not considered insecure)
Restricted users: 0
Insecure users: 0
 - no restricted shell (aspshell): 0
 - docroot above home directory: 0
 - ssh tunneling enabled: 0
  9. Review your logs periodically for attacks

    Aspera recommends reviewing your SSH log periodically for signs of a potential attack. Locate and open your syslog, for example, /var/log/auth.log or /var/log/secure. Depending on your system configuration, syslog's path and file name may vary.

    Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example:

    ...
Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4 port 1585 ssh2
...
Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4 port 1585 ssh2
...

    If you have identified attacks:

    • Double-check the SSH security settings in this topic.
    • Report attacker to your ISP's abuse email (e.g. abuse@your-isp).