Professional Documents
Culture Documents
FUNDAMENTAL
SECURING SSH AND CRON JOBS
SECURING SSH
2
WHY SECURING SSH MATTER?
• SSH is the default secured remote management protocol for almost of Linux distributions.
SSH provides a confidentiality and integrity by data encryption and passwords are no
longer sent in plain text over the network. Nevertheless, a default configuration of SSH
can put the server in a security risk.
• That is why it is important to follow a few simple steps to harden an SSH server that can
dramatically reduce the risk.
3
DISABLE ROOT LOGINS
For security concern, it is not recommended to use root user to login via SSH over a
network. The best approach is to use normal user to login to the server and use
command sudo to perform the task that required root privilege.
To disable root login via SSH, update file /etc/ssh/sshd_config and restart SSH service as the
following.
# vim /etc/ssh/sshd_config
By default, all valid users on the system are able access the server. For security reason, we
should limit to only certain users who really need to have SSH access to the server. Add the
parameter AllowUsers followed by a space separated list of usernames to
file /etc/ssh/sshd_config.
# vim /etc/ssh/sshd_config
5
DISABLE PROTOCOL 1
Using protocol 1 of SSH is less secure. We should be disabled it and always use protocol 2
only instead. Edit file /etc/ssh/sshd_config and restart SSH service as the following.
# vim /etc/ssh/sshd_config
6
LIMIT LISTEN ADDRESS
The default configuration of SSH will listens on all available interfaces which it should be
limited. If there are multiple interfaces on the server configured with different IP addresses,
it is always best to limit the user to login to the server using private IP address only.
# vim /etc/ssh/sshd_config
7
DISABLE EMPTY PASSWORD ACCESS
In some case, a certain user account on the server might not have set a password or has
empty password. It is a best to always disable these users connecting with remote SSH
server.
# vim /etc/ssh/sshd_config
8
DISABLE HOST-BASED AUTHENTICATION
9
LIMIT ALLOWED ACCESS BY IP
We can configure which hosts can connect using TCP wrappers. With TCP wrappers, in
addition to IP addresses you can also use hostnames in rules.
By default, deny all hosts.
# vim /etc/hosts.deny
sshd : ALL
10
CRON JOBS
11
WHAT IS CRON JOBS
Cron Jobs is generally used for running scheduled backups, monitoring disk space, deleting
files (for example log files) periodically which are no longer required, running system
maintenance tasks and a lot more.
To create cron jobs for current user
# crontab –e
To create cron jobs for other user
# crontab –u <username> –e
12
CRON JOBS COMMAND STRUCTURE
13
CRON JOBS SCHEDULE EXAMPLE
• Run jobs every 5 minutes • Run jobs every quarter year at 3am on 1st day
*/5 * * * * <command to execute> 0 3 */1 */4 * <command to execute>
14
WHAT KIND OF JOBS CAN BE CRON-ED?
15
THANK YOU !
END OF CHAPTER EXTRA
16