SSH Server Security Practices.

Recently, I found out that my Raspberry PI was cracked. I figured out that they got my root access by brute-force attack. I thought that nobody will know the IP address of my Raspberry PI. I was so wrong. The hacker was able to crack my root password and was able to put some malware into the root directory.

I guess, I was lucky because the hacker tried to run x86 malware in my Raspberry PI. I quickly shut down the PI and took out the SD card. I will replace the SD card with new card installed with Minibian. Later, I will try to figure out what had actually happened.

But in this post I will try to write some of the best practices to secure your SSH access.

1. Fail2Ban

Fail2ban is one of the most popular intrusion detection/prevention program which is written in python programming language. It operates by monitoring log files such as `/var/log/auth.log` , `/var/log/apache/access.log` etc. and uses the information to update firewall rules to reject IP addresses for specified amount of time.

It is however to reduce the rate of incorrect authentication attempts, not to eliminate the risk of weak authentication that user has set up. To really protect the services further measures such as two factor authentication, public/private keys should be used.

One important information to note is that Fail2Ban does not work in IPv6. Also it is not able to protect against distributed brute-force attack.

2. Disable Root Login

By default shh service is configured to allow login for all users, even the root user. It is always a good idea to disable root login despite the fact that there are more secure ways to configure root login.

I checked `/var/log/auth.log` file when my PI was hacked. All I saw was multiple login attempts with different account names and passwords, one after another. So disabling root access does not secure your system if the hackers can easily guess other accounts' password and then sudo to gain access whenever required.

3. Password less Login Using Keys

SSH key pairs (private key, public key) are two cryptographically secure keys which can be used to authenticate a client.

Private key as the name suggests, should be kept private and should not be shared. The public key on the other hand is shared or in this case should be uploaded to the server to login to SSH.

4. Two Factor Authentication

Yes, you read that right. The two factor authentication can be enabled in a Linux distribution. Thanks to Google and hard working developers.

How to setup two factor authentication will be my next article. Stay tuned.

References