Simple Python Script For SSH Hardening Tips

SSH is my go-to tool for remotely managing servers, VMs, routers, blades… you name it. SSH provides robust security by encrypting the communication between server and client, giving protection against eavesdropping, session hijacking and other man-in-the-middle (MiTM) attacks. SSH is both a communication protocol (RFC 4253) and an application (OpenSSH).

Given the importance of SSH for remote management and its role as an encryption engine for applications such as scp, sftp etc., SSH server (sshd) requires hardening in production networks. The SSH server’s configuration file sshd_config sports many versatile options to tighten up its security. In fact, hardening SSH server mostly requires these options to be set to correct values. Would it not be great if there’s a script that analyses the current sshd_config and suggests the security first principles so the attack surface of SSH gets reduced? And hence this vanilla Python script:

OUTPUT:
[deepak@rhce ~]$ sudo python ssh_hardening_tips.py 
[sudo] password for deepak: 

		 +-+ +-+ +-+   +-+ +-+ +-+ +-+ +-+ +-+ +-+ +-+ +-+
 		 |S| |S| |H|   |H| |A| |R| |D| |E| |N| |I| |N| |G|
 		 +-+ +-+ +-+   +-+ +-+ +-+ +-+ +-+ +-+ +-+ +-+ +-+			

          
##### Parsing /etc/ssh/sshd_config #####


##### Testing Publickey Authentication #####
[GOOD] Publickey authentication has enabled.


##### Testing Root Login Access #####
[BAD] Root Login is allowed.
[RECOMMENDATION] Disable root user login via SSH. Set "permitrootlogin" to no.


##### Testing SSH Service Port Number #####
[BAD] SSH daemon is listening on the default tcp port
[RECOMMENDATION] Change the ssh's port number to an unprivileged one (larger than 1024)
[WARNING] Changing ssh to listen on a non-default port requires changing the configuration of all the services that rely on ssh.


##### Testing Login Grace Time #####
[BAD] User has two minutes to enter the username & password before the ssh session expires. This is vulnerable to password bruteforcing.
[RECOMMENDATION] Change the "logingracetime" to less than 60 (1 minute)
[WARNING] Changing the logingracetime to too low a value may cause inconvinience to remote users.


##### Testing SSH Session Timeout #####
[BAD] SSH client can communicate with the server indefinitely.
[RECOMMENDATION] Force the SSH client to timeout after a reasonable time (that is enough to do administrative tasks). For example to make the client to timeout automatically after 10 minutes (600 seconds), set "clientaliveinterval" to 600 & "clientalivecountmax" to 0.
[WARNING] Beware that the ssh session expires abruptly before you could save your work :(


##### Testing Maximum Authentication Attempts #####
[BAD] User can try authenication 6 times should he/she fails
[RECOMMENDATION] Restrict the failed authentication attempts to not more than 3


##### Testing The Use of X11 Forwarding #####
[BAD] The display server on the client might have a hither exposure to be attacked with X11 traffic forwarded.
[RECOMMENDATION] Disable X11 forwrding by setting "x11forwarding" to no.


##### Testing Authentication via Rhosts #####
[GOOD] Rhosts authentication is disabled.


##### Testing Empty Passwords #####
[GOOD] Empy passwords are not allowed.


##### Testing SSH Protocol Version #####
[GOOD] Only SSH2 is allowed.

running-ssh-hardening-tipsI wrote the above script exclusively for and on Red Hat Enterprise Linux (RHEL) 6 which uses Python 2.6. The logic is extremely simple and can be easily extended to support other distributions.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s