[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2022\/05\/ssh_landscape_lyon.png” alt=”SSH landscape Lyon” title_text=”ssh_landscape_lyon” _builder_version=”4.17.4″ _module_preset=”default” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
The SSH remote access service allows remote administration of servers, PCs or network equipment. It is available on both Linux and MAC OS as well as Windows. It allows easy and remote access to equipment, with the privileges of the chosen user.<\/p>\n
We will then speak of an SSH server<\/strong>, on which the user, the SSH client,<\/strong> connects.<\/p>\n Often exposed on the Internet, it is necessary to follow some SSH security best practices<\/strong> in order to reduce the risks.<\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n Several risks exist on an exposed SSH service:<\/p>\n Once the service is compromised, attackers will very often deploy a cryptocurrency miner, deface the website or resell access to the server in a network of botnets<\/em>.<\/p>\n In some cases, the attack can be targeted and give access to the company’s internal network. The hacker will then favor a ransomware<\/em> attack, data theft or a scam to the president.<\/p>\n <\/p>\n An external penetration test<\/a>ensures that it is not possible for an attacker to exploit the SSH service.<\/p>\n In the cas of a jump hostor a bastion<\/em>, it is advised to perform a whitebox pentest assessment<\/strong> (access to different account levels and to the configuration) in order to test, for example, partitioning between accounts, bypassing network filtering from the SSH server and service configuration.<\/p>\n In order to audit itself the hardening of the algorithms of its SSH services, the Linux tool ssh-audit<\/strong> (https:\/\/github.com\/jtesta\/ssh-audit<\/a>) can be used.<\/p>\n To install it on Kali Linux:<\/p>\n sudo apt install ssh-audit<\/p>\n ssh-audit -p PORT @IP<\/p>\n<\/blockquote>\n For example: ssh-audit -p 2222 127.0.0.1 will test the hardening of the algorithms and report potential CVEs on the server version.<\/p>\n For an audit of the SSH server configuration itself, the Linux Lynis<\/strong>tool (https:\/\/github.com\/CISOfy\/lynis<\/a>) includes SSH checks to increase the level of security. Its use is described in the official documentation: https:\/\/cisofy.com\/documentation\/lynis\/get-started\/#installation-git<\/a>. It is therefore sufficient to run Lynis on the SSH server in order to detect potential weaknesses in its configuration.<\/p>\n <\/p>\n SSH server configuration resides in Linux file \/etc\/ssh\/sshd_config<\/em> and Windows %programdata%\\ssh\\sshd_config<\/span><\/span><\/em>.<\/p>\n The following principles and configuration points can be used to enhance the security of the SSH service:<\/p>\n \u2714\ufe0f Favor SSH key based authentication<\/strong> rather than by password<\/p>\n \u2714\ufe0f Protect your SSH key<\/em> with a complex passphrase<\/strong><\/p>\n \u2714\ufe0f Do not accept empty passwords<\/strong><\/p>\n \u2714\ufe0f Limit the number of invalid authentications<\/p>\n \u2714\ufe0f Secure root account<\/p>\n \u2714\ufe0f Complement this limit with a system to ban IPs<\/strong> that attack the service<\/p>\n \u2714\ufe0f If possible, create a whitelist of Linux groups or users<\/strong> authorized to connect in SSH:<\/p>\n \u2714\ufe0f Reduce information leaks<\/strong> in the file known_hosts :<\/p>\n \u2714\ufe0f Reduce information leaks<\/strong> from the SSH service banner:<\/p>\n \u2714\ufe0f Change the default listening port<\/strong> (22) to a non-standard port (and not 2222 either) in order to decrease the “noise” generated by scanners on the Internet<\/p>\n \u2714\ufe0f Protect SSH access with VPN access or restricting the IP addresses<\/strong> you and your providers use when possible<\/p>\n \u2714\ufe0f Consider a “jumphost<\/em>” architecture when a large number of SSH services must be accessible<\/p>\n For correspondences with the OpenSSH configuration under Windows, see the official documentation: https:\/\/docs.microsoft.com\/fr-fr\/windows-server\/administration\/openssh\/openssh_server_configuration<\/a>.<\/p>\n Note:<\/span> these recommendations should be applied according to your needs and your environment, after ensuring that they do not impact access to services.<\/p>\n References: https:\/\/www.ssi.gouv.fr\/administration\/guide\/recommandations-pour-un-usage-securise-dopenssh<\/a> | https:\/\/www.ssh-audit.com\/hardening_guides.html<\/a> | https:\/\/linux-audit.com\/audit-and-harden-your-ssh-configuration\/<\/a><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.17.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n \ud83d\udee1\ufe0f DSecBypass supports you in securing your SSH services during external pentests<\/a> or internal security audits<\/a>, with quality services and significant experience in this type of service. Do not hesitate to contact <\/a>us for additional information and\/or a personalized quote \ud83d\udcdd.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_button button_url=”https:\/\/www.dsecbypass.com\/en\/contact\/” button_text=”CONTACT US” button_alignment=”center” _builder_version=”4.17.4″ _module_preset=”default” custom_button=”on” button_text_size=”13px” button_bg_color=”#4328b7″ button_border_width=”10px” button_border_color=”#4328b7″ button_border_radius=”0px” button_letter_spacing=”2px” button_font=”Titillium Web|700||on|||||” background_layout=”dark” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" The SSH remote access service allows remote administration of servers, PCs or network equipment. It is available on both Linux and MAC OS as well as Windows. It allows easy and remote access to equipment, with the privileges of the chosen user.<\/p>\n We will then speak of an SSH server, on which the user, the SSH client, connects.<\/p>\n Often exposed on the Internet, it is necessary to follow some SSH security best practices in order to reduce the risks.<\/p>\n","protected":false},"author":4,"featured_media":1677,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[34],"tags":[],"class_list":["post-1815","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-en"],"_links":{"self":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1815","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/comments?post=1815"}],"version-history":[{"count":9,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1815\/revisions"}],"predecessor-version":[{"id":2473,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/posts\/1815\/revisions\/2473"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media\/1677"}],"wp:attachment":[{"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/media?parent=1815"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/categories?post=1815"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dsecbypass.com\/en\/wp-json\/wp\/v2\/tags?post=1815"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} What are the risks?<\/h2>\n
\n
Check the security level of your SSH access<\/h2>\n
\n
SSH security best practices<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n