Advanced OpenSSH Features to Harden Access to Your Alibaba Cloud ECS

ssh root@[EIP address of the instance].
Welcome to Alibaba Cloud Elastic Compute Service !

Hardening ECS with OpenSSH

cp /etc/ssh/sshd_config /etc/ssh/backup.sshd_config
PermitRootLogin prohibit-password
PermitRootLogin forced-commands-only
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"alibabacloud\" rather than the user \"root\".';echo;sleep 10" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDePRIy/ ECS

The /etc/ssh/moduli

awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
wc -l "${HOME}/moduli" # make sure there is something left
mv "${HOME}/moduli" /etc/ssh/moduli
ssh-keygen -G /etc/ssh/moduli.all -b 4096
ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
mv /etc/ssh/moduli.safe /etc/ssh/moduli
rm /etc/ssh/moduli.all
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

Allow/Deny rules

AllowUsers ecs
AllowUsers ecs2
AllowUsers *@mywebserver.alibabacloud.com
AllowUsers *@myprovisioningserver. alibabacloud.com
AllowUsers *@*. alibabacloud.com

Black List with PAM

# /etc/security/pam_abl.conf
debug
host_db=/var/lib/abl/hosts.db
host_purge=2d
host_rule=*:10/1h,30/1d
user_db=/var/lib/abl/users.db
user_purge=2d
user_rule=!root:10/1h,30/1d

ChrootDirectory

cd /home
mkdir ftp
useradd -d /home/ftp -M -N -g users ftp
sudo chown root:root /home/ftp
sudo chmod 755 /home/ftp
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match User john
ChrootDirectory /home/ftp
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no

Password, Authentication, and Encryption

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
RhostsRSAAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
PermitRootLogin no
PermitEmptyPasswords no

Public Key Authentication and Password Authentication

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,password
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 20
# Sets a timeout interval in seconds, default is 15 
ClientAliveInterval 40
# Sets the number of client alive messages, default value is 3
ClientAliveCountMax 3
# Don't allows login to accounts with empty password, The default value is no
passworPermitEmptyPasswords no

Fail2Ban

#ubutnu
sudo apt-get install fail2ban
#rhel/centos
sudo yum install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
service fail2ban restart
$ ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[root@localhost ~]# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
hmac-ripemd160-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
$ ssh -Q  key
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
ssh-rsa
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
ssh-rsa-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

Restart SSHD

#rhel/centos
/sbin/service sshd restart
#ubuntu
/etc/init.d/sshd restart

Automating the Process

  1. Automated discovery of all SSH keys and configuration information
  2. Automation of adding, configuring, removing, and rotating SSH keys
  3. Provide continuous monitoring of SSH keys
  4. Enable forensic-level analysis by logging of all relevant operations and management actions
  5. Audit

References

  1. OpenSSH website
  2. sshd_config man page
  3. SSH tests from Lynis project

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Implementing SQL Server AlwaysOn Availability Groups on ECS Instances

Bulk Update Multiple WebLogic WLSDM Settings via WL-OPC

7 Factors that Influence UnixBench Scores

The Intuitiveness Behind the OSI Model

The Evolution of Cloud Computing

Kogito Tooling daily releases

CS371g Summer 2021: Kyzer Polzin

Multithreading in Java

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

Upgrade OpenShift Cluster in a Disconnected Environment Using Advanced Cluster Management

Multi Master Multi-Cluster LDAP(OpenDJ) replication in Kubernetes? A controversial view

JOURNEY INTO CLOUD NATIVE AND KUBERNETES: Day One (1)

Monitor Your Computing System with Prometheus, Grafana, Alertmanager, and Nvidia DCGM