Information Security Office

Securing SSH

SSH is a secure network protocol that is used to create a secure connection between two systems. By default the service runs on TCP port 22 and provides encryption capability.

Unfortunately attackers on the Internet constantly scan for this service and when detected may focus more attention on this and other available services running on the system. As with other protocols vulnerabilities (weaknesses) are discovered that can allow attackers to compromise systems advertising the SSH service. Once compromised, these systems can be used for cyber criminal activity such as spam, identity theft & as botnets.

SSH can also be subject to "brute force" attacks. This continual process guesses usernames & passwords until access to the service is met. Although monitoring logs and adding additional layers of protection could help avoid these attacks they may go unnoticed. 

In April 2009 SANS reported a sharp rise in SSH server attacks and the importance of being vigilant regarding SSH services.

Please review the following recommendations to help secure the SSH service:

  • Enable SSH service only when necessary.

  • Use strong usernames & passwords. Change them often.
    For more information see: Choosing a secure password.
    Reconfigure SSH to only use password protected SSH keys and not permit plain passwords. (See SAN's Handler's Diary below for more information.)

  • Configure firewall to only allow necessary systems to connect to SSH service. This prevents strangers from brute force attacks.

  • Monitor SSH logs on regular basis to see who is trying to get in.

  • Disable root log-ins & limit user logins only necessary users.

  • Strongly recommended to disable SSH version 1 protocol. This protocol is older and less secure.

  • Move service from TCP port 22 to higher unused port. Although this relies more on obscurity than security, it may help deter SSH attacks.

For more about securing SSH information: 

Guess what? SSH again! - SANS Handler's Diary - 4/17/09

Related news stories:

SSH server attacks resurface 4/20/09 – Tech -  4/20/09

Beware of Secure Shell Attacks, says SANS  – IT Business Edge - 4/20/09

Brutish SSH attacks continue to bear fruit – The Register – 4/17/09

SSH server attacks resurface – - 4/18/09