# SSH Rootcheck # # v1.0 2016/01/20 # Created by Wazuh, Inc. . # jesus@wazuh.com # This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2 # $sshd_file=/etc/ssh/sshd_config; # Listen PORT != 22 # The option Port specifies on which port number ssh daemon listens for incoming connections. # Changing the default port you may reduce the number of successful attacks from zombie bots, an attacker or bot doing port-scanning can quickly identify your SSH port. [SSH Hardening - 1: Port 22 {PCI_DSS: 2.2.4}] [any] [1] f:$sshd_file -> !r:^# && r:Port\.+22; # Protocol 2 # The Protocol parameter dictates which version of the SSH communication and encryption protocols are in use. # Version 1 of the SSH protocol has weaknesses. [SSH Hardening - 2: Protocol 1 {PCI_DSS: 2.2.4}] [any] [2] f:$sshd_file -> !r:^# && r:Protocol\.+1; # PermitRootLogin no # The option PermitRootLogin specifies whether root can log in using ssh. # If you want log in as root, you should use the option "Match" and restrict it to a few IP addresses. [SSH Hardening - 3: Root can log in] [any] [3] f:$sshd_file -> !r:^# && r:PermitRootLogin\.+yes; f:$sshd_file -> r:^#\s*PermitRootLogin; # PubkeyAuthentication yes # Access only by public key # Generally people will use weak passwords and have poor password practices. Keys are considered stronger than password. [SSH Hardening - 4: No Public Key autentication {PCI_DSS: 2.2.4}] [any] [4] f:$sshd_file -> !r:^# && r:PubkeyAuthentication\.+no; f:$sshd_file -> r:^#\s*PubkeyAuthentication; # PasswordAuthentication no # The option PasswordAuthentication specifies whether we should use password-based authentication. # Use public key authentication instead of passwords [SSH Hardening - 5: Password Authentication {PCI_DSS: 2.2.4}] [any] [5] f:$sshd_file -> !r:^# && r:PasswordAuthentication\.+yes; f:$sshd_file -> r:^#\s*PasswordAuthentication; # PermitEmptyPasswords no # The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password # Accounts with null passwords are a bad practice. [SSH Hardening - 6: Empty passwords allowed {PCI_DSS: 2.2.4}] [any] [6] f:$sshd_file -> !r:^# && r:PermitEmptyPasswords\.+yes; f:$sshd_file -> r:^#\s*PermitEmptyPasswords; # IgnoreRhosts yes # The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. # For security reasons it is recommended to no use rhosts or shosts files for authentication. [SSH Hardening - 7: Rhost or shost used for authentication {PCI_DSS: 2.2.4}] [any] [7] f:$sshd_file -> !r:^# && r:IgnoreRhosts\.+no; f:$sshd_file -> r:^#\s*IgnoreRhosts; # LoginGraceTime 30 # The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in. # 30 seconds is the recommended time for avoiding open connections without authenticate [SSH Hardening - 8: Wrong Grace Time {PCI_DSS: 2.2.4}] [any] [8] f:$sshd_file -> !r:^# && r:LoginGraceTime && !r:30\s*$; f:$sshd_file -> r:^#\s*LoginGraceTime; # MaxAuthTries 3 # The MaxAuthTries parameter specifices the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. # This should be set to 3. [SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}] [any] [9] f:$sshd_file -> !r:^# && r:MaxAuthTries && !r:3\s*$; f:$sshd_file -> r:^#\s*MaxAuthTries; f:$sshd_file -> !r:MaxAuthTries;