# Network Security (OpenSSH) ## 1. Introduction to OpenSSH OpenSSH (Open Secure Shell) is a suite of secure networking utilities based on the SSH (Secure Shell) protocol. It provides encrypted communication sessions over a computer network, allowing secure remote access, file transfers, and command execution. ## 2. Key Features of OpenSSH - Encrypted communication - Public key authentication - Port forwarding - X11 forwarding - SFTP (Secure File Transfer Protocol) subsystem ## 3. Installation Most Unix-like systems come with OpenSSH pre-installed. For other systems: - Ubuntu/Debian: `sudo apt-get install openssh-server` - CentOS/RHEL: `sudo yum install openssh-server` - macOS: Comes pre-installed - Windows: Use OpenSSH or third-party implementations like PuTTY ## 4. Basic Configuration The main configuration file is `/etc/ssh/sshd_config`. Key settings include: - Port: Change default port (22) to reduce automated attacks - PermitRootLogin: Disable direct root login - PasswordAuthentication: Disable password authentication - PubkeyAuthentication: Enable public key authentication Example: ```ini Port 2222 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes ``` ## 5. Public Key Authentication Generate a key pair: ```bash ssh-keygen -t rsa -b 4096 ``` Transfer the public key to the server: ```bash ssh-copy-id user@server ``` ## 6. Firewall Configuration Restrict SSH access using a firewall. For example, with UFW: ```bash sudo ufw allow 2222/tcp sudo ufw enable ``` ## 7. Fail2Ban Install and configure Fail2Ban to protect against brute-force attacks: ```bash sudo apt-get install fail2ban ``` Configure in `/etc/fail2ban/jail.local`: ```ini [sshd] enabled = true port = 2222 filter = sshd logpath = /var/log/auth.log maxretry = 3 ``` ## 8. Two-Factor Authentication (2FA) Install Google Authenticator: ```bash sudo apt-get install libpam-google-authenticator ``` Run the initialization: ```bash google-authenticator ``` Modify `/etc/pam.d/sshd`: ```ini auth required pam_google_authenticator.so ``` Update `/etc/ssh/sshd_config`: ```ini ChallengeResponseAuthentication yes ``` ## 9. SSH Keys Management - Use ssh-agent for convenient key management - Implement SSH certificates for larger deployments ## 10. Port Forwarding Local port forwarding: ```bash ssh -L 8080:localhost:80 user@server ``` Remote port forwarding: ```bash ssh -R 8080:localhost:80 user@server ``` ## 11. SFTP Configuration Configure SFTP-only access for certain users: ```ini Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no ``` ## 12. Logging and Monitoring - Enable verbose logging in sshd_config - Use tools like Logwatch or OSSEC for log analysis - Implement centralized logging with solutions like ELK stack ## 13. Regular Updates Keep your OpenSSH installation and the host system up-to-date: ```bash sudo apt-get update && sudo apt-get upgrade ``` ## 14. Security Auditing Regularly audit your SSH configuration using tools like: - ssh-audit - Lynis ## 15. Best Practices - Use strong, unique passwords for each account - Implement the principle of least privilege - Regularly rotate SSH keys - Use SSH protocol version 2 only - Disable unused features and remove unnecessary user accounts ## 16. Troubleshooting - Check logs in `/var/log/auth.log` or `/var/log/secure` - Use `ssh -v` for verbose output during connection attempts - Verify file permissions (e.g., `~/.ssh` should be 700, `~/.ssh/authorized_keys` should be 600) ## Conclusion: Implementing these measures will significantly enhance the security of your SSH setup. However, security is an ongoing process. Stay informed about the latest vulnerabilities and best practices, and regularly review and update your configuration.