The SSH port is a very popular target for attack. As soon as an open port is detected, a brute force attack begins. Let's see what can be done to still use SSH for remote administration.
This memo is about fedora25. The main concept remains for other distributions.
We will take several steps to ensure the security of our SSH connection. First of all, we will change the port itself. For this example, I have a multihomed server that connects to the internal LAN with one network adapter and is directly connected to the Internet by another network card.
I then used the ListenAddress directive in /etc/ssh/sshd_config to change the external NIC port to the desired "1234".
# grep Listen /etc/ssh/sshd_config ListenAddress 192.168.122.190:22 ListenAddress 172.17.2.231:1234 [root@fc25 ~]# service sshd restart Redirecting to /bin/systemctl restart sshd.service [root@fc25 ~]# netstat -tlnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.122.190:22 0.0.0.0:* LISTEN 982/sshd
Nothing was added due to enforced selinux. Checking /var/log/messages shows this:
Aug 25 17:03:03 fc25 audit[1129]: AVC avc: denied { name_bind } for pid=1129 comm="sshd" src=1234 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:monopd_port_t:s0 tclass=tcp_socket permissive=0
Install the semanage tool and add a port with it to use by ssh:
[root@fc25 ~]# semanage port -l | grep -w 22 ssh_port_t tcp 22 [root@fc25 ~]# semanage port -a -t ssh_port_t -p tcp 1234 ValueError: Port tcp/1234 already defined [root@fc25 ~]# semanage port -l | grep -w 1234 monopd_port_t tcp 1234 [root@fc25 ~]# semanage port -m -t ssh_port_t -p tcp 1234
The port 1234 we selected was already reserved. The last command overwrites the reservation. This is not a good idea, because system updates can restore these definitions by default, so it's easier to choose a different port number.
[root@fc25 ~]# service sshd restart Redirecting to /bin/systemctl restart sshd.service [root@fc25 ~]# netstat -tlnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 172.17.2.231:1234 0.0.0.0:* LISTEN 1462/sshd tcp 0 0 192.168.122.190:22 0.0.0.0:* LISTEN 1462/sshd
Can you now connect to your server? Surely not, iptables -L -n will show you why. You must open a new port as an allowed from the outside world.
-A INPUT -i EXTIF -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
The next step in improving security is to exchange SSH keys and to close the root login with a password. This is achieved by using the PermitRootLogin without-password directive in /etc/ssh/sshd_config. Then any password will not work, and the brute force attack will be helpless.
Once I try, I can not stop using it. I highly recommend this tool.
[root@fc25 ~]# dnf install mosh
MOSH uses the UDP protocol, which helps it maintain a session even for the changed IP address of the client.
You should open the new port in firewall:
-A INPUT -i EXTIF -p udp --dport 1235 -j ACCEPT
Then the usage will be as:
$ mosh root@myserver --ssh="ssh -p 1234" --server="mosh-server new -p 1235 -s -l LANG=en_US.UTF-8"