SSH Hardening on CentOS 6.3

This is a follow on post from my guide to installing CentOS 6.2 (or you can read my updated 6.3 version). You can see my other posts such as auditing your software installs, hardening your accounts, network hardening, services hardening and clearing out orphaned packages.

This post outlines how you can harden your SSH server.

1. Strengthen your IP table firewall rules by editing /etc/sysconfig/iptables and adding or changing the line (NOTE: Any old SSH rule will be using port 22; change it accordingly):
   

   -A INPUT -m state --state NEW -s network/mask -p tcp --dport 4444 -j ACCEPT

   where network/mask is replaced with your actual network and mask values i.e 10.0.0.0/24
2. Since SSH uses the TCP wrappers library we will need to allow the service in /etc/hosts.allow

   sshd: 10.0.0.

   
   
3. Edit /etc/ssh/sshd_config with the following changes:
   

   # Use Port 4444 instead of Port 22
   Port 4444
   
   # Ensure we use Protocol 2 by default
   Protocol 2
   
   # Set idle timeouts (15 minutes)
   ClientAliveInterval 900
   ClientAliveCountMax 0
   
   # Disable rhost behaviour
   IgnoreRhosts yes
   
   # Do not trust other hosts
   HostbasedAuthentication no
   
   # Do not allow root logins
   PermitRootLogin no
   
   # Do not allow empty passwords
   PermitEmptyPasswords no
   
   #Disable environment alteration
   PermitUserEnvironment no
   
   #Disable X11 forwarding
   X11Forwarding no
   
   # Disable TCP forwarding
   AllowTCPForwarding no
   
   # Log level
   LogLevel INFO

4. Restart everything
   
   

   service sshd restart
   service iptables restart
   service network restart

References

• Red Hat Linux 5 Hardening Tips - National Security Agency
• Guide to the secure configuration of Red Hat Linux 5 - National Security Agency
• CentOS wiki on hardening the OS
• This guide from sysadminwiki
• The security nut blog