Jack Wallen offers up a antithetic method of securing SSH that could beryllium alternatively timely successful helping to fastener down your Linux servers.
Image: Funtap/Shutterstock
The different time I was reasoning of ways to unafraid SSH that were a spot extracurricular the norm. Let's look it, we've each configured SSH successful /etc/ssh/sshd_config and /etc/ssh/ssh_config. We've blocked basal login, we've acceptable SSH to a non-standard port, we've installed fail2ban and we've enabled SSH cardinal authentication. What much tin we do?
SEE: Security incidental effect policy (TechRepublic Premium)
That's wherever my bid of thought benignant of went disconnected the tracks to travel up with a non-standard method of blocking unwanted SSH traffic. What I came up with isn't revolutionary, nor is it a guaranteed hole for everything that ails distant logins.
But it's yet different 1 of those ideas that makes maine gladsome I usage Linux.
Let's say, for example, you and your IT unit log into and retired of your Linux servers each day. During that time, you indispensable marque definite that the SSH work is moving and accepting connections. But what astir aft enactment hours?
I cognize you and your unit mightiness beryllium of a mindset that determination is nary specified happening arsenic "after hours," but determination should be. Being capable to measurement distant from enactment is 1 of the champion ways of ensuring you tin proceed doing your enactment for years to come. Giving yourself implicit to the institution 24/7 is simply a sure-fire mode of burning retired and fading away. Don't fto that happen.
With that said, what if you conscionable disabled the SSH work aft hours? I know, I cognize ... it sounds crazy, blocking yourself from distant entree erstwhile you're disconnected the clock. But the happening is, that play erstwhile you're not moving is the premier clip for attackers. And with you not there, your quality to respond rapidly is beauteous overmuch nil. So wherefore springiness anyone the quality to entree your distant servers via SSH?
Again, I cognize this sounds crazy, but for immoderate servers, this could beryllium an perfect mode of blocking incoming SSH attacks astatine definite times.
Say, for instance, you lone person a bare IT beingness from 7 p.m. to 6 a.m. Maybe you've hired 1 oregon 2 admins to woody with issues that hap astatine night. So they're on-prem and tin grip thing you can't (because you can't SSH into the servers). That being the case, wherefore not unopen down the SSH daemons during those hours? With those services not accepting connections, hackers would person a importantly much hard clip gaining access.
But however would you bash this? In a word: cron.
How to make cron jobs for SSH
We're going to make a record that volition grip 2 cron jobs:
One to commencement SSH astatine 6 a.m.
One to halt SSH astatine 7 p.m.
To make the file, contented the command:
sudo nano ssh-start-stopIn that file, paste the following:
0 6 * * * basal /usr/bin/systemctl commencement ssh 0 15 * * * basal /usr/bin/systemctl halt sshSave and adjacent the file.
At this point, erstwhile 7 p.m. comes around, the SSH daemon should beryllium stopped and volition past restart astatine 6 a.m. No 1 should beryllium capable to usage unafraid ammunition to summation entree to that server during that period.
As I said, this isn't a bulletproof solution. It mightiness adjacent origin much problems for you than it's worthy (depending connected the situation). What this does, however, is amusement you however flexible the Linux operating strategy tin beryllium and however you tin ever travel up with off-the-tracks solutions to springiness your server a unsocial boost successful security.
Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.
Cybersecurity Insider Newsletter
Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays
Sign up todayAlso see
- How to go a cybersecurity pro: A cheat sheet (TechRepublic)
- Security threats connected the horizon: What IT pro's request to cognize (free PDF) (TechRepublic)
- Checklist: Securing integer information (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)
English (US) ·