The SSH protocol is recommended for remote login and remote file transfer. SSH provides confidentiality and integrity for data exchanged between two systems, as well as server authentication, through the use of public key cryptography. The implementation included with the system is called OpenSSH, and more detailed documenta-tion is available from its website, http://www.openssh.org. Its server program is called sshd and provided by the RPM package openssh-server.
3.5.1 Disable OpenSSH Server if Possible
Unless the system needs to provide the remote login and file transfer capabilities of SSH, disable and remove the OpenSSH server and its configuration.
3.5.1.1 Disable and Remove OpenSSH Software
Disable and remove openssh-server with the commands:
# chkconfig sshd off
# yum erase openssh-server
CCE 4268-9, 4272-1
Users of the system will still be able to use the SSH client program /usr/bin/ssh to access SSH servers on other systems.
3.5.1.2 Remove SSH Server iptables Firewall Exception
Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
CCE 4295-2
By default, inbound connections to SSH’s port are allowed. If the SSH server is not being used, this exception should be removed from the firewall configuration. See Section2.5.5for more information about Iptables.
3.5.2 Configure OpenSSH Server if Necessary
If the system needs to act as an SSH server, then certain changes should be made to the OpenSSH daemon configuration file /etc/ssh/sshd_config. The following recommendations can be applied to this file. See the sshd config(5) man page for more detailed information.
3.5.2.1 Ensure Only Protocol 2 Connections Allowed
Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. The default setting shipped in the configuration file is correct, but it is important enough to check.
Verify that the following line appears:
Protocol 2
CCE 4325-7
3.5.2.2 Limit Users’ SSH Access
By default, the SSH configuration allows any user to access the system. In order to allow all users to login via SSH but deny only a few users, add or correct the following line:
DenyUsers USER1 USER2
Alternatively, if it is appropriate to allow only a few users access to the system via SSH, add or correct the following line:
AllowUsers USER1 USER2
3.5.2.3 Set Idle Timeout Interval for User Logins
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.
Find and edit the following lines in /etc/ssh/sshd_config as follows:
ClientAliveInterval interval ClientAliveCountMax 0
The timeout interval is given in seconds. To have a timeout of 15 minutes, set interval to 900.
CCE 14061-6
If a shorter timeout has already been set for the login shell, as in Section 2.3.5.5, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
3.5.2.4 Disable .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
To ensure that this behavior is disabled, add or correct the following line:
IgnoreRhosts yes
CCE 4475-0
3.5.2.5 Disable Host-Based Authentication
SSH’s cryptographic host-based authentication is slightly more secure than .rhosts authentication, since hosts are cryptographically authenticated. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
To disable host-based authentication, add or correct the following line:
HostbasedAuthentication no
CCE 4370-3
3.5.2.6 Disable root Login via SSH
The root user should never be allowed to login directly over a network, as this both reduces auditable information about who ran privileged commands on the system and allows direct attack attempts on root’s password.
To disable root login via SSH, add or correct the following line:
PermitRootLogin no
CCE 4387-7
3.5.2.7 Disable Empty Passwords
To explicitly disallow remote login from accounts with empty passwords, add or correct the following line:
PermitEmptyPasswords no
CCE 3660-8
Measures should also be taken to disable accounts with empty passwords system-wide, as described in Section 2.3.1.5.1.
3.5.2.8 Enable a Warning Banner
Section2.3.7contains information on how to create an appropriate warning banner.
To enable a warning banner, add or correct the following line:
Banner /etc/issue
CCE 4431-3
3.5.2.9 Do Not Allow Users to Set Environment Options
To prevent users from being able to present environment options to the SSH daemon and potentially bypass some access restrictions, add or correct the following line:
PermitUserEnvironment no
CCE 14716-5
3.5.2.10 Use Only Approved Ciphers in Counter Mode
Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. The following line demonstrates use of FIPS-approved ciphers in CTR mode:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
CCE 14491-5
The man page sshd config(5) contains a list of the ciphers supported for the current release of the SSH daemon.
3.5.2.11 Strengthen Firewall Configuration if Possible
If the SSH server must only accept connections from the local network, then strengthen the default firewall rule for the SSH service.
Determine an appropriate network block, netwk , and network mask, mask , representing the machines on your network which must be allowed to access this SSH server.
Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate the line:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT and replace it with:
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 22 -j ACCEPT If your site uses IPv6, and you are editing ip6tables, use the line:
-A RH-Firewall-1-INPUT -s ipv6netwk::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT instead because Netfilter does not yet reliably support stateful filtering for IPv6.
See Section2.5.5for more information about Iptables configuration.