Ways to Secure SSH Port (22)

Ways to Secure SSH Port 22

SSH Protocol is a method of Secure remote login to a remote computer. It is alternative to some insecure remote protocols such as telnet and rlogin. SSH uses strong encryption for it’s communication over the network, this secure communication maintains the integrity and confidentiality. It is widely used in the corporate networks to provide secure access for users, automated file transfers and also used by network administrators for performing various tasks such as troubleshooting the network, managing the network infrastructure etc.

SSH protocol works on client-server model it means SSH Clients initiates the connection and the connection is establish by SSH client connecting to the SSH Server. SSH server is nothing but the a system with SSH server software installed on it and a particular port (usually 22) is configured for providing SSH service and SSH Client for accessing SSH service can request that Server’s IP and that specific port.

This section will explain how network administrators can enhance the security of their network infrastructure and how they can secure SSH service on SSH server using multiple ways.

Security Measures to be take to secure SSH Service on SSH server –

1)     Port Forwarding

2)     Disable Password based login and using PGP key (Public Key)

3)     Disable Root login and Limit SSH user’s access

4)     Google Authenticator

5)     Time Scheduling

6)     Disable Empty Passwords

Before moving further let’s first install the SSH server on the machine using the following command –

Sudo apt-get install openssh-server

 

After installing SSH server, we will start the SSH service and check it’s status

SSH Service will be started using the following the command –

Service ssh start

And the status of SSH service will be checked using the following command -

Service ssh status 

Now we have our SSH server is configured and SSH service running on it’s port 22

Port Redirection

Our SSH server is up and running now we can take our first security measure i.e port redirection. On doing the nmap scan on the client machine’s ip address it shows that it is running ssh service on port 22

 

Navigate to /etc/ssh, there we will find a file named sshd_config it is Openssh SSH daemon configuration file.

Open sshd_config file using nano command –

nano sshd_config

 

 

changes made in sshd_config file. Hence we have forwarded port from 22 to 2222

Now to confirm the port forwarding, we will again run the nmap scan on our client machine

nmap 192.168.226.131

The output of nmap scan shows that TCP port 2222 is open but it shows that it is running EthernetIP-1 service which doesn’t give exact information of the service which is running. Hence we will perform the nmap scan with service detection option.

In the above nmap output it is cleared that on TCP Port 2222 ssh service is running along with is version and it’s description.

 

Securing SSH with Public Key Cryptography

To implement this security measure, we need to install putty key generator. Putty key generator is a tool for generating pairs of public and private SSH Keys.

Click on generate button to launch public private ssh key pair

After public and private key are generated click on save to Save Private key, this will save the key as public key.

Now open the SSH server and type ssh-keygen in terminal

The command ssh-keygen create the folder named .ssh. in that folder create the file named authorized_key, in this file paste the public key generated by the putty-keygen

 

 

Now open the putty configuration tab, then go to Session tab and give the IP Address & Port Number of your Clients Machine were ssh server is configured.

Navigate to SSH>Auth and give the path of the ssh_login.ppk file (the public key that was generated earlier) and then click Open.

It will simply use the public key to Login into SSH Server without asking for Password.

Open the sshd_config file in /etc/ssh using nano command. Here we will make changes in line #PasswordAuthentication as shown in the image.

Current configuration

#PasswordAuthentication yes

We will edit parameter value yes to no and remove the # (hash) as shown in the below image. Once done save the changes made. These changes will disable any user to log into SSH Server using the password.

PasswordAuthentication no

As you can see these settings have disabled password based login and is indeed asking for a Public Key to log in