NCSA: Restricting Access with OpenSSH

Restricting Access with OpenSSH

Using the latest version of OpenSSH on your server is only the first step towards providing secure remote access to your server. Here we attempt to outline several other precautions you can (and should) take.

First, make sure you are aware of the changes with the latest version of OpenSSH. Some of the new features, like checking for locked accounts, can be utilized later on for restricting access for individual users.

Most of the default options in sshd_config are preferred in our environment, however, you should turn off PermitRootLogin and adjust the LogLevel:

PermitRootLogin no
LogLevel VERBOSE

This restricts admins to logging in with their normal user account and then using su or ksu to obtain root privileges. Typically, this provides a better audit trail in your logs as opposed to allowing direct root login from remote systems.

The NCSA Security Team (security@ncsa.uiuc.edu) recommends that users refrain from setting up passwordless RSA authentication unless absolutely necessary, especially for the root user. Attackers that gain access to a single system can immediately extend their influence to other systems via passwordless RSA authentication. The temporary convenience is rarely worth the cost and, many times, passwordless access issues can be better solved with Kerberos.

The NCSA version of OpenSSH is compiled using the --with-tcp-wrappers option. This allows the admin to restrict access to the sshd service based on the hostname or IP address of the connecting system. Briefly, a mostly-closed policy that only allows access to sshd from NCSA systems would have this in /etc/hosts.deny:

ALL : ALL

And this in /etc/hosts.allow:

sshd : 141.142.0.0/255.255.0.0

Be sure to include a newline at the end of the configuration files and restart sshd when finished.