OpenSUSE 42.3/Hardening SSH

Hardening SSH

Most scripted attacks point to standard ports and users. That is why we change SSH to an unusual port and allow only one specific user ID (without root privileges).

Caution: Please prepare an up to date backup prior to these configuration steps. If you lock yourself out with a faulty SSH configuration, this is irrevocable!
Most server hosting companies however offer some means of web based configuration system where you can boot from a rescue system and mount your corrupted root file system to correct the settings. Check with your provider, if they offer similar support.

Caution: Permit the newly configured SSH port in your firewall or once again you will be locked out!

1) In /etc/ssh/sshd_config change the port to the desired value e.g. "12345".
After a successful connection test via the new port, close port 22 in the firewall. Hint: If you use SuseFirewall as opposed to this description, you have to exclude "ssh" from the list of allowed services.

Caution: Before proceeding to the next step, make sure an additional user (without root privileges) already exists or once again you will be locked out! If not done so far, create a new user in Yast (with normal privilegues).

2) In /etc/ssh/sshd_config adjust the following 5 parameters and remove the comment signs in front of them:
=> Parameter "LoginGraceTime" to "2m" meaning 2 minutes for login attempts
=> Parameter "PermitRootLogin" to "no"
=> Parameter "MaxAuthTries" to "3" login attempts
=> Parameter "MaxSessions" to max. "1" simultaneous logged in user
=> Parameter "AllowUsers" to the newly configured user (without root privileges)

Remark: The parameter "AllowUsers" does not exist in the example file, so you must add AllowUsers manually.

Tests:
=> Reboot the server and try if you can log in using your newly configured user ID. If this fails, restore your backup.
=> Try to login as root.

Hints: It is still possible to use multiple shell windows. All logins of the same user from the same source machine count as one session. You can also change the current user ID using su NewUser where "NewUser" must be a valid account on your system.



Continued: Configuring the firewall