Strengthening SSH Security on Single Board Computers Running Linux Distros: A Step-by-Step Guide
Single board computers (SBCs) powered by Linux distributions are increasingly utilized for diverse applications. However, ensuring the robust security of these devices, especially concerning SSH (Secure Shell) access, is imperative to thwart potential unauthorized access and exploits. In this detailed guide, we’ll delve into comprehensive measures for securing SSH on SBCs running Linux distros, providing explicit commands, code snippets, and configuration samples for each step.
Understanding SSH
SSH is a cryptographic network protocol facilitating secure remote access to computers or servers over unsecured networks. It offers encryption and authentication mechanisms to safeguard data transmission and user credentials from interception and unauthorized access.
For consumers using single board computers (SBCs) at home, whether for personal projects, media centers, or home automation, securing SSH configuration is essential for several reasons:
Protecting personal data: Many users store personal data, including documents, photos, and sensitive information, on their SBCs. Securing SSH helps prevent unauthorized access to this data, safeguarding users’ privacy and confidentiality.
Preventing unauthorized cccess: Home networks are not immune to security threats. Without proper SSH security measures, malicious actors could gain unauthorized access to SBCs, potentially compromising home network security, accessing personal files, or even conducting malicious activities such as launching attacks on other devices on the network.
Safeguarding IoT devices: SBCs are commonly used in DIY home automation projects, controlling smart devices such as lights, thermostats, and security cameras. By securing SSH access, users can prevent unauthorized control or manipulation of these IoT devices, ensuring the integrity and security of their home automation systems.
Mitigating risks of IoT botnets: In recent years, compromised IoT devices have been exploited to form botnets used for launching large-scale cyberattacks. By securing SSH access on SBCs, users can reduce the risk of their devices being hijacked and used as part of botnet armies, contributing to overall internet security.
Preventing unauthorized software installation: With SSH access, users can install, configure, and manage software on their SBCs remotely. However, without proper security measures, unauthorized individuals could exploit this access to install malicious software or make unauthorized changes to the system, potentially compromising the stability and security of the device.
Ensuring family safety: In households with multiple users, securing SSH access helps ensure that only authorized individuals can access and manage the SBC. This prevents accidental or intentional tampering with critical system settings, ensuring the safety and stability of the device for all family members.
Hardening SSH security
1. Update system and SSH software
Before fortifying security measures, ensure your SBC’s operating system and SSH software are up-to-date to patch vulnerabilities and enhance security.
sudo apt update
sudo apt upgrade
2. Disable root login
Prevent direct root login via SSH to mitigate potential brute-force attacks. Create a separate user with sudo privileges for administrative tasks.
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Set PermitRootLogin to no.
PermitRootLogin no
Restart SSH service.
sudo systemctl restart sshd.service
3. Implement strong password policies
Enforce robust password policies for SSH users, including minimum length, complexity, and expiration. Utilize passwd to manage user passwords.
sudo passwd <username>
4. Enable two-factor authentication (2FA)
Enhance security with 2FA, adding an extra layer of authentication. Utilize packages like Google Authenticator.
sudo apt install libpam-google-authenticator
Follow the setup prompts.
google-authenticator
Edit /etc/pam.d/sshd to enable 2FA.
auth required pam_google_authenticator.so
5. Configure SSH key-based authentication
Key-based authentication offers superior security. Generate SSH key pairs on the client machine and transfer the public key to the SBC.
Generate SSH key pair.
ssh-keygen -t ed25519 -C 'Description' -f ~/.ssh/id_ed25519
Transfer public key to SBC.
ssh-copy-id -i ~/.ssh/id_ed25519.pub <username>@<sbc-ip-address>
Disable password authentication in SSH configuration.
sudo nano /etc/ssh/sshd_config
Set PasswordAuthentication to no.
PasswordAuthentication no
Restart SSH service.
sudo systemctl restart sshd.service
6. Restrict SSH access
Limit SSH access to specific IP addresses or networks using firewall rules with ufw.
sudo ufw allow from <trusted-ip-address> to any port 22
sudo ufw enable
7. Change default SSH port
Alter the default SSH port to a non-standard port to deter automated scanning.
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Change Port to desired port (e.g., 2222).
Port 2222
Restart SSH service.
sudo systemctl restart sshd.service
8. Enable SSH logging
Enable SSH logging to monitor and audit access attempts.
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Uncomment or add the following lines.
LogLevel VERBOSE
SyslogFacility AUTH
Restart SSH service.
sudo systemctl restart sshd.service
9. Configure SSH idle timeout
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Add or adjust the following lines.
ClientAliveInterval 300
ClientAliveCountMax 2
Restart SSH service.
sudo systemctl restart sshd.service
10. Disable unused features
Disable features that are not required for your specific use case to reduce the attack surface. Commonly disabled features include X11 forwarding, TCP forwarding, and agent forwarding.
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Disable X11 forwarding.
X11Forwarding no
Disable TCP forwarding.
AllowTcpForwarding no
Disable agent forwarding.
AllowAgentForwarding no
Restart SSH service.
sudo systemctl restart sshd.service
11. Limit User Permissions
Restrict SSH access to specific users or groups to minimize the risk of unauthorized access. Use the AllowUsers or AllowGroups directives to specify permitted users or groups.
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Limit SSH access to specific users.
AllowUsers username1 username2
Or limit SSH access to specific groups.
AllowGroups group1 group2
Restart SSH service.
sudo systemctl restart sshd.service
12. Optimize cryptographic settings
Configure SSH to use strong cryptographic algorithms and key exchange mechanisms to enhance security.
Edit SSH configuration file.
sudo nano /etc/ssh/sshd_config
Restart SSH service.
sudo systemctl restart sshd.service
Disable weak algorithms (e.g., SHA1, MD5).
# Disable weak MAC algorithms
MACs [email protected],[email protected]
# Disable weak key exchange algorithms
KexAlgorithms diffie-hellman-group-exchange-sha256
# Enable strong ciphers
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
13. Implement rate-limiting for authentication attempts
Mitigate brute-force attacks by configuring SSH to limit the number of authentication attempts per connection or per unit of time.
Install and configure Fail2ban to monitor SSH authentication logs and dynamically block IP addresses that exhibit suspicious behavior.
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
Add or modify the SSH section to enable SSH rate-limiting.
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
Harden the SSH configuration on your single board computers by disabling unused features, limiting user permissions, optimizing cryptographic settings, and implementing rate-limiting for authentication attempts. These measures collectively strengthen the security of SSH access and help safeguard your SBCs against potential security threats and unauthorized access attempts. Regularly review and update your SSH configuration to adapt to evolving security best practices and mitigate emerging risks effectively.
Comments