Securing Your SSH Server

Keeping your data secure is critically important. Aspera strongly recommends taking additional steps to set up and configure your SSH server to protect against common attacks.

These steps include the following:
  • Changing the TCP port.
  • Configuring transfer server authentication.

Aspera also recommends restricting user access to the server, as described in the user setup instructions later in this guide.

Changing and Securing the TCP Port

SSH servers, including the OpenSSH suite included with your product, listen for incoming connections on TCP Port 22 by default. As such, Port 22 is subject to numerous unauthorized login attempts by hackers who attempt to access unsecured servers. An effective deterrent is to close Port 22 and run the service on a seemingly random port above 1024 (and up to 65535).

To standardize the port for use in Aspera transfers, Aspera recommends setting the TCP port to 33001 and closing TCP/22.

Prerequisites:

  • Before changing the default port for SSH connections, verify with your network administrators that TCP/33001 is open.
  • Before closing port TCP/22, notify users of the change.

Notifying Users - How to Specify TCP/33001

Aspera recognizes that disabling the default SSH connection port (TCP/22) might affect your clients. When you change the port, ensure that you advise your users on how to configure the new port number, from the GUI (if available and used) and from the command line.

  • GUI: To change the SSH port in Desktop Client, click Connections and select the entry for the server whose ports are changing. On the Connection tab, click Show Advanced Settings and enter the SSH port number in the SSH Port (TCP) field.
    Client specifying your computer's SSH Port.
  • Command line: Clients running FASP transfers from the command line can specify the port by using the -P 33001 option.

Changing to TCP/33001

The following steps require root privileges.

  1. Open the SSH configuration file. 
    /etc/ssh/sshd_config
  2. Add the TCP/33001 SSH port and close TCP/22.
    Comment out the line for "Port 22" and add a line for "Port 33001":
    #Port 22 
Port 33001
    Note: If you are using the HST Server web UI (deprecated), you must also update the SshPort value in the <WEB...> section of aspera.conf. For details, see Configuring your Web UI Settings.

    Once this setting takes effect:

    • Aspera clients must set the transfer port to 33001 in the GUI or specify -P 33001 for command line transfers.
    • Server administrators should use ssh -p 33001 to access the server through SSH.
  3. Disable non-admin SSH tunneling.
    These instructions require that OpenSSH 4.4 or newer is installed on your system in order to use the Match directive. Match allows you to selectively override certain configuration options when specific criteria (based on user, group, hostname, or address) are met.

    Open your SSH Server configuration file, sshd_config, with a text editor. Add the following lines to the end of the file (or modify them if they already exist):

    AllowTcpForwarding no
Match Group root 
AllowTcpForwarding yes

    Depending on your sshd_config file, you might have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable if necessary.

    Disabling TCP forwarding does not improve security unless users are also denied shell access, because they can still install their own forwarders. Review your user and file permissions, and see Setting Up Transfer Users (Terminal) for instructions on modifying user shell access.

  4. Update authentication methods
    Public key authentication can prevent brute-force SSH attacks if all password-based authentication methods are disabled. For this reason, Aspera recommends disabling password authentication in the sshd_config file and enabling private/public key authentication.
    Note: Before proceeding, configure at least one non-root, non-transfer user with a public key to use to manage the server. This is because in other server-securing steps, root login is disabled and Aspera recommends that transfer users are restricted to aspshell, which does not allow interactive login. This user and public key is what you use to access and manage the server as an administrator.

    To configure authentication methods, add or uncomment PubkeyAuthentication yes and comment out PasswordAuthentication yes.

    PubkeyAuthentication yes
#PasswordAuthentication yes
PasswordAuthentication no
    Note: If you choose to leave password authentication enabled, be sure to advise account creators to use strong passwords and set PermitEmptyPasswords to "no".
    PermitEmptyPasswords no
  5. Disable root login.
    CAUTION:
    This step disables root access. Make sure that you have at least one user account with sudo privileges before continuing, otherwise you may not have access to administer your server.
    By default, OpenSSH allows root logins. However, disabling root access helps maintain a more secure server. Aspera recommends disabling root access by commenting out PermitRootLogin yes in the sshd_config file and adding PermitRootLogin No.
    #PermitRootLogin yes 
PermitRootLogin no

    Administrators can use the su command when root privileges are necessary.

  6. Restart the SSH server to apply new settings.
    Restarting your SSH server does not affect currently connected users. 
    # systemctl restart sshd.service
    or for Linux systems that use init.d:
    # service sshd restart
  7. Review your logs periodically for attacks.
    You can view the state of active TCP connections by running the netstat command:
    # netstat -an -p tcp

    Typical output shows multiple, different IP addresses connected to specific ports:

      TCP    10.0.111.200:53402     72.21.81.109:80        CLOSE_WAIT
  TCP    10.0.111.200:53865     173.194.202.188:5228   ESTABLISHED
  TCP    10.0.111.200:53876     10.0.9.16:445          TIME_WAIT
  TCP    10.0.111.200:55164     208.85.40.20:443       ESTABLISHED
  TCP    10.0.111.200:55335     207.200.35.240:443     ESTABLISHED
  TCP    10.0.111.200:55444     67.199.110.81:443      ESTABLISHED
  TCP    10.0.111.200:56278     104.24.11.90:443       ESTABLISHED

    If your server is under attack, you might see output similar to the following, in which the same IP address attempts to connect to contiguous ports (hundreds or thousands of times) and the connection is timing out (reporting a status of TIME_WAIT):

      TCP    10.0.111.200:53402     72.21.81.109:60974      TIME_WAIT
  TCP    10.0.111.200:53865     72.21.81.109:60975      TIME_WAIT
  TCP    10.0.111.200:53876     72.21.81.109:60976      TIME_WAIT
  TCP    10.0.111.200:55164     72.21.81.109:60977      TIME_WAIT
  TCP    10.0.111.200:55335     72.21.81.109:60978      TIME_WAIT
  TCP    10.0.111.200:55444     72.21.81.109:60979      TIME_WAIT
  TCP    10.0.111.200:56278     72.21.81.109:60980      TIME_WAIT

    If you see this, review your logs to determine the source and cause.

    Open your syslog, which is located in /var/log/auth.log or /var/log/secure, depending on your system configuration.

    Look for invalid users in the log, especially a series of login attempts with common user names from the same address, usually in alphabetical order. For example:

    ...
Mar 10 18:48:02 sku sshd[1496]: Failed password for invalid user alex from 1.2.3.4 port 1585 ssh2
...
Mar 14 23:25:52 sku sshd[1496]: Failed password for invalid user alice from 1.2.3.4 port 1585 ssh2
...

    If you identify attacks, take the following steps:

    • Double-check the SSH security settings in this topic.
    • Report attackers to your ISP's email address for abuse reports (often abuse@your_isp.com).

Configuring Transfer Server Authentication With the Host-Key Fingerprint

To prevent server impersonation and man-in-the-middle (MITM) attacks, Aspera clients can verify the server's authenticity before starting a transfer by comparing the trusted SSH host key fingerprint (obtained directly from the server admin or through an Aspera client web application) with the host key fingerprint returned when the connection is made. In order to do this, the host key fingerprint or path must be set in the server's aspera.conf.

  1. Set the host key fingerprint or path in the transfer server's aspera.conf file.
    Note: Server SSL certificate validation (HTTPS) is enforced if a fingerprint is specified in aspera.conf and HTTP fallback is enabled. If the transfer "falls back" to HTTP and the server has a self-signed certificate, validation fails. The client requires a properly signed certificate.

    If you set the host key path, the fingerprint is automatically extracted from the key file and you do not extract it manually.

    Retrieving and setting the host key fingerprint:

    1. Retrieve the server's SHA-1 fingerprint. 
      # cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum
    2. Set the SSH host key fingerprint in aspera.conf. (Go to the next step to set the host key path instead). 
      # asconfigurator -x "set_server_data;ssh_host_key_fingerprint,fingerprint"

      This command creates a line similar to the following example of the <server> section of aspera.conf:

      <ssh_host_key_fingerprint>7qdOwebGGeDeN7Wv+2dP3HmWfP3 
</ssh_host_key_fingerprint>

    Setting the host key path: To set the SSH host key path instead of the fingerprint, from which the fingerprint will be extracted automatically, run the following command:

    # asconfigurator -x "set_server_data;ssh_host_key_path,ssh_key_filepath"

    This command creates a line similar to the following in the <server> section of aspera.conf:

    <ssh_host_key_path>/etc/ssh/ssh_host_rsa_key.pub
</ssh_host_key_path>
  2. Restart the node service to activate your changes.
    Run the following commands to restart asperanoded:
    # /etc/init.d/asperanoded restart