Tags Archives: ssh

SSH Security Hardening Notes

SSH is a favorite attack vector among hackers.


To harden ssh and protect against ssh-hacker attempts, make following modifications to sshd_config:


root@gemini:/etc/ssh# cat sshd_config

PermitRootLogin no

#Port 22
#AddressFamily any

#we only allow access from our zonetier-one vpn  (IP commented out here for security reasons):

ListenAddress 10.******  

# Disable password authentication forcing use of keys only to login:
PasswordAuthentication no

Then restart sshd.


From then on ssh logins can only be made from inside the Zonetier VPN.  And they cannot in any case be done using root, nor with password-entry logins, only with ssh keys.


Users must first of all transfer their ssh keys from their client to the server either using ssh-copy-id if authorized, or alternatively copy-pasting their id_rsa.pub to the authorized_keys file located in their /home/<user>/.ssh directory.


This means non-users do not have any admittance to the server.


In addition to these measures, I also installed and activated fail2ban and reviewed all ports in the ufw /iptables firewalling.


Continue Reading

How to Install the SSLH Multiplexer

My server is using the sslh multiplexer daemon, this uses incoming port 443 for both ssh and https.


Reason for this is to avoid ssh connection problems when trying to connect to the server from outgoing routers which do not permit outgoing ssh port 22 connections.


If you have administrator access to the router you can modify this, but if you don’t have access, eg when using a router in a residential or commercial building complex to which you don’t have admin access yourself, then a viable workaround is to use port 443 for outgoing ssh connections.


This is because port 443 is hardly ever blocked by routers and can thus be relied upon to be accessible.


On my server, incoming port 443 ssh connections are therefore redirected to sshd on port 22, while incoming https 443 connections are redirected to https port 444 on apache.


Apache must then be configured to listen on port 444 instead of the default 443.


First, install sslh:


apt install sslh


then in /etc/default/sslh






and set the DAEMON_OPS to use the desired port for sslh and to forward to ssh:


Here we want incoming ssh connections to come in on port 444, and forward ssh calls to 22 and all other calls (which will be https for apache) to be forwarded to 444:


DAEMON_OPTS=”–user sslh –listen –ssh –ssl –pidfile /var/run/sslh/sslh.pid”


so it will look like this:


root@gemini:/# cat /etc/default/sslh
# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# Disabled by default, to force yourself
# to read the configuration:
# – /usr/share/doc/sslh/README.Debian (quick start)
# – /usr/share/doc/sslh/README, at “Configuration” section
# – sslh(8) via “man sslh” for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)


# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don’t forget to modify /lib/systemd/system/sslh.service

#DAEMON_OPTS=”–user sslh –listen <change-me>:443 –ssh –ssl –pidfile /var/run/sslh/sslh.pid”
DAEMON_OPTS=”–user sslh –listen –ssh –ssl –pidfile /var/run/sslh/sslh.pid”


then config systemctl to autostart sslh, then start sslh:


systemctl enable sslh
systemctl start sslh


Check that its running and listening correctly:


root@gemini:/# ps -ef | grep sslh
sslh 611 1 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 443 –ssh 22 –tls 444 –pidfile /var/run/sslh/sslh.pid
sslh 612 611 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 443 –ssh 22 –tls 444 –pidfile /var/run/sslh/sslh.pid
sslh 937 612 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 443 –ssh 22 –tls 444 –pidfile /var/run/sslh/sslh.pid
sslh 1073 612 0 Jun28 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 443 –ssh 22 –tls 444 –pidfile /var/run/sslh/sslh.pid
sslh 9093 612 0 19:22 ? 00:00:00 /usr/sbin/sslh –foreground –user sslh –listen 443 –ssh 22 –tls 444 –pidfile /var/run/sslh/sslh.pid
root 9503 9199 0 20:00 pts/2 00:00:00 grep –color=auto sslh
root@gemini:/# netstat -tulpn | grep sslh
tcp 0 0* LISTEN 611/sslh


then, you can access ssh by using:


ssh -p 443 username@server-ip


and sslh will forward the ssh connection to sshd on port 22 on the server


Don’t forget also you must reconfigure apache to listen on port 444 (/etc/apache2/ports.conf and the appropriate sites-enabled conf file – and restart apache after modifying the files).



A Note Regarding Apache and sslh


Note also that some programs, such as Lets Encrypt’s SSL Certbot SSL certificate sourcing program automatically define the https port as the default 443, so you then need to remove this and set it to 444, otherwise apache will not start.


Apache ports.conf needs to look like this. Note that port 443 is not used:


root@gemini:/etc/apache2# cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule mod_ssl.c>
#Listen 443
Listen 444


The sites-enabled will also use 444 instead of 443 for virtual host definitions:



ServerName kevwells.com
ServerAlias www.kevwells.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf


SSLCertificateFile /etc/letsencrypt/live/kevwells.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kevwells.com/privkey.pem





Continue Reading