Secure SSHD in Linux

Learn On Demand
Learn On Demand Pro Series

This IT Pro Challenge virtual lab shows learners how to configure the Secure Shell (SSH) service by modifying service parameters in the SSHD configuration file. Learners will also use the Elliptical Curve Digital Signature Algorithm (ECDSA) keys to configure key-based authentication and create an alias to launch SSH.

Time
1 hour
Difficulty
Advanced
Share
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Overview

In this IT Pro Challenge, learners will understand how to modify the SSHD configuration file to disable empty passwords and disconnect idle connections and change the banner message. Learners will also use Elliptical Curve Digital Signature Algorithm (ECDSA) keys to configure SSH key-based authentication for a user to connect to the SSH server, configure the firewall, create an alias to launch SSH and view the SSH log files. The skills acquired in this lab are useful for careers as a network or system administrator.

Overview

The scenario for this hands-on lab is that you are a system administrator of several Linux servers. Your job is to configure the Secure Shell (SSH) service to comply with your company’s network security standards. You will have a CentOS 7 Linux system (CentOS7-A) that is the SSH server where you will modify SSH service parameters and configure the firewall to allow for the SSH modifications that you make. You will also have a second CentOS 7 Linux system (CentOS7-B) that will serve as the SSH client, for which you will configure key-based authentication and create an alias to launch SSH. To finish, you will view the SSH log file on the server.

CentOS stands for Community Enterprise Operating System; it is a free, community-based Linux platform.

Back up and configure the SSH configuration file

To begin the lab, you will back up the current /etc/ssh/sshd_config configuration file. Then you will edit the global section of the sshdconfig file to disable empty passwords, disconnect idle connections, and configure /etc/issue.net to be the banner message file. Next, you will add settings (Match address, Disable root user access over SSH, and Whitelist the user01 account) to the match section at the bottom of the sshdconfig file. You will also add a warning message to the /etc/issue.net file that serves as the banner message. To test your work, you will try to establish an SSH connection to the SSH server as user01; the connection should fail, and you will see the banner message that you created.

Enable key-based authentication

Now you will use the Elliptical Curve Digital Signature Algorithm (ECDSA) keys to configure SSH key-based authentication for user01 to connect to the SSH server. ECDSA provides a similar level of security to Rivest–Shamir–Adleman (RSA), but with a smaller key.

You will then disable password-based authentication in the match address section of the sshd_config file and restart the SSHD service.

Configure the firewall

Now you will configure the firewall to set the SSH port to listen on port 2222 in addition to the standard port 22, change the SELinux setting in the sshd_config file to allow the new port number, restart the SSHD service, and then attempt to establish an SSH connection to the server by using the new port number.

Create an alias for yourself

To create an alias for yourself, you will edit the user01.bashrc file to allow a connection to port 2222 and then run the alias to establish an SSH connection.

View SSH log files

Finally, you will view SSH connections, disconnections, as password resets in the /var/log/ secure log file.

NOTE: If you are using Ubuntu Linux machines, the SSH log file is stored in /var/log/auth.log.

Summary Conclusion

By taking this hands-on lab, you will learn how to edit the SSHD configuration file, enable key-based authentication for SSH, change the default SSH port, configure the firewall and SELinux services to allow a new port number, create a command alias to establish an SSH connection, and view the SSH service log files.