Secure your Linux SSH Connections

Secure your Linux SSH Connections

Secure your Linux SSH Connections

image

Securing your endpoints isn’t just a top priority for IT pros, but also for anyone who takes their online safety seriously. For Linux devices, Secure Shell (more commonly referred to as SSH) is the primary protocol for remote authentication and access. Due to reliance on SSH for Linux users, it’s crucial to optimize the service and configure it with the best security options possible. 

Automox Worklets™ offer multiple solutions to automate the configuration of SSH connection settings on your Linux endpoints.

Automating Linux Endpoints SSH Configuration with Worklets

The five Worklets below should help make your life easier. By using these Worklets to automate SSH configuration on your Linux endpoints, you’ll make them more secure. Don’t worry about accessing each server individually. Instead, set them up automatically on each Linux endpoint with the click of a button. 

1. Disable Remote SSH root Login

On Linux systems, the root account (account with UID 0), has the highest access rights on the system. This account is often required to make system changes, install software, and modify endpoint settings.  

Often, the username for this profile is “root.” Because this username is a default, it’s common for bad actors to log into accounts with this username. It’s recommended to restrict the ability to authenticate SSH sessions using the root-level account. Instead, the best-practice is to log in with a different account, and leverage privilege escalation permissions as needed. 

This Worklet disables the “root” account from authenticating SSH sessions. It works by setting the SSHD configuration value for PermitRootLogin to no, which disables the ability to authenticate as the user “root” through SSH. 

After the configuration is modified, all SSH sign-in attempts must be made using a username that is not “root.” Once the user is signed in, they can leverage the sudo utility to elevate their permissions temporarily and execute privileged commands if they are authorized to do so.

To execute a privileged command as a non-root user, use sudo

Example:
sudo apt update

If your non-root user has privileges to switch user to the root account, you can use the command:

sudo su

2. Set SSH Timeout

Prolonged idle SSH connections can pose security risks as they’re easily exploited by hackers and lead to unauthorized access. To help prevent unauthorized access to a device, it’s best to establish a standardized SSH client timeout policy across your Linux endpoints.

However, overly short timeouts may cause inconvenience and hinder productivity among users who require extended periods of inactivity during their work sessions.

This Worklet modifies the Linux endpoint's SSHD configuration and sets the SSH timeout value. It works by utilizing the ClientAliveInterval and ClientAliveCountMax to ensure that the session is terminated after a defined amount of inactivity. 

When setting up this Worklet as a Policy in your Automox Console, you can also define the number of seconds before the session is terminated. 

For instance, setting a ClientAliveInterval of 300 seconds will configure the SSH client to send a keepalive signal to the Linux server every 300 seconds, allowing it to check if the user's session should stay active. The ClientAliveCountMax value determines the maximum number of consecutive unanswered keepalive signals before the SSH session is terminated.

Keeping these values to a strict amount can help to maintain SSH session security.

3. Disable Password Authentication for SSH

A simple yet effective method for securing your device and preventing unauthorized access is enforcing the use of public key authentication to authenticate SSH sessions instead of using a password. 

For endpoints that allow SSH password authentication, your endpoint is a potential target for brute-force attacks against default and privileged accounts. By restricting authentication to only use SSH keys only authorized users with the correct public key can authenticate to an endpoint.

This Worklet modifies the SSHD configuration file ('/etc/ssh/sshd_config') to set the value for PasswordAuthentication to disabled. Then, it restarts the SSH service to implement the change.

Note: Once the Worklet is executed, if one of your user's workstations doesn’t have the correct authorized SSH key, they won’t be able to access the Linux endpoint. So, double-check you have access to the Linux server via an SSH key before using this Worklet.

4. Enforce Number of SSH Login Attempts

When an outside agent attempts to authenticate via the SSH service on your system, they’re only allowed a certain number of authentication attempts before your Linux server forcefully drops the connection. 

However, these connections can be problematic if they remain open until they’re dropped by the Linux system. Having too many open connections can cause the server performance to degrade and leave it open to compromise. 

This Worklet sets the maximum number of SSH authentication attempts. It works by setting the value of SSH MaxAuthTries to minimize the risk of successful brute-force attacks on the Linux endpoint. 

You can also change the number of MaxAuthTries when setting up the policy in your Automox Console. 

5. Enforce SSH Failed Login Firewall Rules

To take your Linux endpoint security even further, the Enforce SSH Failed Login Firewall Rules Worklet gives you the option to enforce firewall blocks and slam the door on bad actors. 

The Worklet analyzes the SSH authentication log of your server and creates firewall rules to block IP addresses that have attempted to sign into SSH using bad passwords, bad SSH keys, and bad usernames. 

The Worklet also creates firewall rules to automatically block any IP addresses that exceed your SSH configuration value for MaxAuthTries .

The purpose of these firewall rules is to terminate connections from IP addresses that regularly attempt to access the SSH service. The result is a much more stable SSH server and significantly fewer failed sign-in attempts moving forward.

Automating Linux SSH configuration the easy way

When it comes to securing your Linux endpoints, ensuring that SSH is as secure as possible should be a top priority.

These Worklets offer you ways to automate the configuration of settings and better protection than the default SSH settings on a Linux operating system. Plus, they help you prioritize your organization’s safety and security.


We provides a 100% CloudNative IT Endpoint operations platform for modern organizations. As a comprehensive EndPointManagement Platform, it has advanced SoftwareManagement for PatchManagement, Adding, Removing, and Updating Software, Changing and Configure Settings along with PolicyManagement on any device or operating system located anywhere in the world and at any time. With the push of a button, ITAdministartors can fix CriticalVulnerabilities faster, slash cost and complexity, and win back hours in the day.If you want to know more kindly Click here

© 2023 SRC Cyber Solutions LLP. All Rights Reserved.