Howto make SSH even more secure

To make your router even more secure and protected against new attacks, follow these steps:

Move the server to a non-standard port

Why a non-standard port? Because the standard SSH port (22) is targeted by script kiddies these days, using simple brute force attacks to gain access to your box. Usually you'll only notice a bunch of login attempts in your system log, so no real harm done. But better safe then sorry, so by moving Dropbear/OpenSSH1) to a non-standard port, your logs will be not be cluttered with these attempts. Of course a full port scan will still reveal the port, but it's now more difficult to find the port, and that's what we need.

FREESCO with Dropbear SSH server ( 0.3.4+ )

Log in as root and go into the FREESCO setup, by typing :

setup

and <enter>, then choose advanced settings (a), and Option #47.

Advanced settings (x - exit) []? 47

type <enter>, then here :

        Enable SSHD to allow remote access to Freesco. You can use SSH
        and perform any console commands including this setup script.

        WARNING:y - Enable service worldwide, insecure!
                s - Enable service locally, secure (recommended)
                n - Disable service

        NOTE: If you are going to export this service from a local computer
        using standard port (22), you must not answer s.

 47 Enable SSH server y/s/n [y]?

type “y” and <enter>, when asked :

471 SSH port [22]? 222

type the port number you would like ssh to use (for instance 222 ) followed by <enter>

472 Allow root to login with SSH (y/n) [y]?
Dropbear sshd v0.44-p10
Usage: dropbear [options]
Options are:
-s              Disable password logins
-g              Disable password logins for root
-j              Disable local port forwarding
-p port Listen on specified tcp port, up to 10 can be specified
                (default 22 if none specified)
472 Extra command line options. None are required. []?

you can leave this empty.

Exit the setup with “x”,<enter>, and save settings with “s”,<enter>.

Then back at the prompt you should restart the firewall with :

rc_masq restart

The FREESCO default ssh server is now accessible via the port you configured. You can try using putty or another ssh client to connect to the router, it should work.

Opensshd package

For Freesco 0.27

go to /rc/rcuser :

cd /rc/rcuser

then edit the startup script for opensshd :

edit rc_opensshd

In this file find the lines that say :

# Port to listen for connections on.
PORT=22

if [ "$1" = firewall ]; then
#comment out the next lines to make sshd worldwide accessible
#echo -n "Block opensshd connection from inet...I"

Change it to read :

# Port to listen for connections on.
PORT=xxxx

if [ "$1" = firewall ]; then
#comment out the next lines to make sshd worldwide accessible
#echo -n "Block opensshd connection from inet...I"

Where xxxx is number of the port you wish to give to openssh. To finish type

rc_opensshd restart
rc_masq restart
For Freesco 03x

go to /pkg/etc/

cd /pkg/etc/

then edit the config file for openssh :

edit sshd_config

In this file find the line that says :

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

and change it to read :

Port xxxx
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

Where xxxx is number of the port you wish to give to openssh. To finish type

rc_opensshd restart
rc_masq restart

Disable root access

To disable root access with dropbear/openssh follow these steps :

Add a new user who will be the admin on FREESCO with

useradd your_admin

Choose (N)ormal user, with a home directory.

Go to /etc

cd /etc

Edit the password file :

edit passwd

In this file locate the following line :

your_admin:xxxxxxxxxx:100x:100:your_admin:/home/your_admin:/bin/sh

change it in :

your_admin:xxxxxxxxxx:0:0:your_admin:/home/your_admin:/bin/sh

Save the file with ALT+x

copy it in the boot directory

cp passwd /boot/etc/

Try to login with ssh as the user your_admin and the corresponding password.


IF, AND ONLY IF, that works, you can then go to /etc and edit the password file again :

cd /etc
edt passwd

Find the line that says :

root:xxxxxxxxxx:0:0:root:/home/root:/bin/sh

and change it to read

root:xxxxxxxxxx:0:0:root:/home/root:/bin/false

save changes and copy the file in /boot/etc/

cp passwd /boot/etc/

That's it!

The root user is now disabled and only your_admin can login with ssh and admin rights.

1) of course you must have Opensshd package installed for this howto…
 
freesco/howtos/how-to_make_ssh_more_secure.txt (53703 views) · Last modified: 2006/02/08 16:04 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki