The other day I was thinking of ways to secure SSH that were a bit outside the norm. Let’s face it, we’ve all configured SSH in /etc/ssh/sshd_config and /etc/ssh/ssh_config. We’ve blocked root login, we’ve set SSH to a non-standard port, we’ve installed fail2ban, and we’ve enabled SSH key authentication. What more can we do?
SEE: Security incident response policy (TechRepublic Premium)
That’s where my train of thought sort of went off the tracks to come up with a non-standard method of blocking unwanted SSH traffic. What I came up with isn’t revolutionary, nor is it a guaranteed fix for everything that ails remote logins.
But it’s yet another one of those ideas that makes me glad I use Linux.
Let’s say, for example, you and your IT staff log into and out of your Linux servers all day. During that time, you must make sure that the SSH service is running and accepting connections. But what about after work hours?
I know you and your staff might be of a mindset that there is no such thing as “after hours,” but there should be. Being able to step away from work is one of the best ways of ensuring you can continue doing your work for years to come. Giving yourself over to the company 24/7 is a sure-fire way of burning out and fading away. Don’t let that happen.
With that said, what if you just disabled the SSH service after hours? I know, I know … it sounds crazy, blocking yourself from remote access when you’re off the clock. But the thing is, that period when you’re not working is the prime time for attackers. And with you not there, your ability to react quickly is pretty much nil. So why give anyone the ability to access your remote servers via SSH?
Again, I know this sounds crazy, but for some servers, this could be an ideal way of blocking incoming SSH attacks at certain times.
Say, for instance, you only have a bare IT presence from 7 p.m. to 6 a.m. Maybe you’ve hired one or two admins to deal with issues that happen at night. So they’re on-prem and can handle anything you can’t (because you can’t SSH into the servers). That being the case, why not shut down the SSH daemons during those hours? With those services not accepting connections, hackers would have a significantly more difficult time gaining access.
But how would you do this? In a word: cron.
How to create cron jobs for SSH
We’re going to create a file that will handle two cron jobs:
One to start SSH at 6 a.m.
One to stop SSH at 7 p.m.
To create the file, issue the command:
sudo nano ssh-start-stop
In that file, paste the following:
0 6 * * * root /usr/bin/systemctl start ssh
0 15 * * * root /usr/bin/systemctl stop ssh
Save and close the file.
At this point, when 7 p.m. comes around, the SSH daemon should be stopped and will then restart at 6 a.m. No one should be able to use secure shell to gain access to that server during that period.
As I said, this isn’t a bulletproof solution. It might even cause more problems for you than it’s worth (depending on the situation). What this does, however, is show you how flexible the Linux operating system can be and how you can always come up with off-the-tracks solutions to give your server a unique boost in security.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.