A quick and easy way to lock down SSH

a-quick-and-easy-way-to-lock-down-ssh

Anxious to get your Linux server SSH access locked down? Jack Wallen shows you one more step you can take–one that will only take seconds.

Image: iStockphoto/metamorworks

If you’re a Linux administration, chances are really good you spend a lot of time logging in to remote machines with SSH. It’s also very likely that you’ve taken numerous steps to lock down SSH access to those remotes servers. In fact, you’re probably using SSH key authentication and denyhosts. Together, those two solutions go a very long way to hardening access to your remote Linux servers.

But, there’s one more step you can take, one that’s so easy and obvious most admins forget it’s even an option. This particular step doesn’t require any third-party software and can be taken care of in seconds.

Curious? Let’s do this.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

What you’ll need

  • A Linux server running the SSH daemon

  • The IP address(es) of any client(s) that need access to the server

You should also have access to the remote server’s console, in case something goes wrong and you lock yourself out of the server, but this is the case anytime you monkey with SSH.

How to allow a client IP address

The first thing we have to do is allow the IP address of any client you use into the remote server with SSH. Once you have a list of the IP addresses, you can add them to /etc/hosts.allow. To do this, issue the command (on the remote server):

sudo nano /etc/hosts.allow

At the bottom of that file, add the following:

sshd: IP

Where IP is the IP address of the remote client that needs access to the server. If you have a number of IP addresses, or IP address ranges, you could enter them like so:

sshd: 10.83.33.77/32, 10.63.152.9/32, 10.12.100.11/28, 10.82.192.0/28

Or like so:

sshd : 192.168.1.0/24
sshd : 127.0.0.1
sshd : [::1]

Note above: We’ve even included the loopback address for the server.

Save and close the file.

How to block all other addresses

Now that we’ve allowed an IP address or list of addresses, it’s time to block all other addresses. One thing to keep in mind is that the Linux system will first look at hosts.allow (from top to bottom) followed by hosts.deny (from top to bottom). So an SSH connection attempt from an IP address in hosts.allow will be allowed through, even though hosts.deny clearly blocks ALL.

So, to block all other IP addresses, open the necessary file with the command:

sudo nano /etc/hosts.deny

At the bottom of that file, add the following:

sshd: ALL

Save and close the file.

At this point, any client listed in hosts.allow will be allowed through (via SSH) and any client not listed will be denied. There’s no need to restart the SSH daemon to make this work.

With the combination of SSH key authentication, denyhosts, and hosts.allow/deny, secure shell access to your Linux servers will be about as tight as you can get it. 

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see

Quick glossary: DevOps

quick-glossary:-devops
  • Provided by
    TechRepublic Premium
  • Published
    July 8, 2020
  • Topic
    TechRepublic Premium
  • Format
    PDF

The ability to rapidly develop, deploy, and integrate new software and features is essential to the overall success of many organizations. DevOps is the solution. This glossary of 20 DevOps-related terms will provide you with a working vocabulary.

From the glossary:

For many enterprises, the ability to rapidly develop, deploy, and integrate new software and features is essential to the overall success of the organization. Managing all those moving parts requires workflow procedures that cross traditionally separate departments and can be accomplished only with effective communication and cooperation.

These workflow procedures are referred to as DevOps, which is a mash-up of two terms: “software development” and “information technology operations.” But the term DevOps is not the only one you should be familiar with when it comes to this important management concept. The 21 DevOps terms listed here will give you a working vocabulary and a head start toward developing your own DevOps system.

A/B testing


A technique for testing new software or new features whereby two or more versions are deployed to users for testing. The metrics from each variant are then compared and assessed based on the testing criteria.

Acceptance testing


The testing performed near the end of the development cycle that determines whether software is ready for deployment.

Agile development


In many ways, Agile development is the precursor to DevOps. Agile development refers to a methodology that emphasizes short iterative planning and development cycles. The idea is that iterative development affords more control and establishes predictability.

Application release automation (ARA)


ARA refers to the dozens of available tools, scripts, and other products used to automatically install and configure software into a working or testing environment. It effectively relieves developers and IT professionals from the tedium of manual software deployment.

People Also Downloaded