Secure your Linux SSH Connections

Securing your endpoints isn’t just a top priority for IT pros, but also for anyone who takes their online safety seriously. For Linux devices, Secure Shell (more commonly referred to as SSH) is the primary protocol for remote authentication and access. Due to reliance on SSH for Linux users, it’s crucial to optimize the service and configure it with the best security options possible. 

Automox Worklets™ offer multiple solutions to automate the configuration of SSH connection settings on your Linux endpoints.

These five Worklet automation scripts are here to make your Linux life easier. By automating SSH configuration on your Linux endpoints with these Worklets, you not only enhance security but also streamline the process.

The beauty of Automox Worklets is that you can effortlessly set them up on all your Linux endpoints simultaneously, eliminating the need to access each server individually.

On Linux systems, the root account (or the account with UID 0) possesses the highest access rights within the system. This account is required for implementing system changes, installing software, and adjusting endpoint settings.

Typically, the username assigned to this profile is root. Since this default username is widely used across most Linux distributions, malicious actors often attempt to gain unauthorized access using it. It is commonly seen as a best practice to limit authentication via SSH for the root-level account.

Instead, it is recommended to log in using a different account and escalate privileges when necessary.

This Worklet effectively prevents the root account from authenticating SSH sessions by configuring the SSHD setting PermitRootLogin to no, thereby preventing authentication as the user root through SSH.

Following this configuration change, all SSH login attempts must be made using a username other than root. Users can instead utilize the sudo command to temporarily elevate their permissions and execute authorized privileged commands.

For instance, run sudo apt update

If the non-root user is permitted to switch user to the root account, the command sudo su can also be employed.

Prolonged idle SSH connections can pose security risks as they're vulnerable to exploitation by hackers, potentially leading to unauthorized access. To mitigate this risk, it's recommended to establish a standardized SSH client timeout policy across your Linux endpoints. However, excessively short timeouts may inconvenience users who require extended periods of inactivity during their work sessions, impacting productivity.

This Worklet adjusts the Linux endpoint's SSHD configuration to set the SSH timeout value, utilizing the ClientAliveInterval and ClientAliveCountMax parameters to terminate sessions after a specified period of inactivity. When setting up this Worklet as a Policy in the Automox Console, you can customize the timeout duration.

For example, setting a ClientAliveInterval of 300 seconds prompts the SSH client to send a keepalive signal to the Linux server every 300 seconds to verify the session status. 

The ClientAliveCountMax parameter defines the maximum number of consecutive unanswered keepalive signals before terminating the SSH session.

A simple yet effective method for securing your device and preventing unauthorized access is to enforce the use of public key authentication to authenticate SSH sessions instead of using a password. 

For endpoints that allow SSH password authentication, your endpoint is a potential target for brute-force attacks against default and privileged accounts. By restricting authentication to only use SSH keys only authorized users with the correct public key can authenticate to an endpoint.

This Worklet modifies the SSHD configuration file ('/etc/ssh/sshd_config') to set the value for PasswordAuthentication to disabled. Then, it restarts the SSH service to implement the change.

Note: Once the Worklet is executed, if one of your user's workstations doesn’t have the correct authorized SSH key, they won’t be able to access the Linux endpoint. So, double-check you have access to the Linux server via an SSH key before using this Worklet.

When an external agent tries to authenticate through the SSH service on your system, they are granted only a limited number of authentication attempts before your Linux server forcefully terminates the connection.

However, these lingering connections can pose issues if they are left open until the Linux system drops them. A surplus of open connections can lead to server performance degradation and vulnerabilities.

This Worklet allows IT Administrators to establish the maximum number of SSH authentication attempts, aiming to mitigate the risk of successful brute-force attacks on the Linux endpoint by configuring the SSH MaxAuthTries value.

You have the flexibility to adjust the MaxAuthTries limit while configuring the policy within your Automox Console.

To take your Linux endpoint security even further, the Enforce SSH Failed Login Firewall Rules Worklet gives you the option to enforce firewall blocks and slam the door on bad actors. 

The Worklet analyzes the SSH authentication log of your server and creates firewall rules to block IP addresses that have attempted to sign into SSH using bad passwords, bad SSH keys, and bad usernames. 

The Worklet also creates firewall rules to automatically block any IP addresses that exceed your SSH configuration value for MaxAuthTries.

The purpose of these firewall rules is to terminate connections from IP addresses that regularly attempt to access the SSH service. The result is a much more stable SSH server and significantly fewer failed sign-in attempts moving forward.