Profile Applicability:
• Level 1
Description:
Configuring the SSH daemon (sshd) access controls ensures only authorized users and hosts can connect to the system via SSH. Proper access configuration protects against unauthorized remote logins and potential security breaches.
Rationale:
Restricting sshd access mitigates unauthorized access risks by enforcing authentication methods, limiting user logins, and controlling allowed hosts or networks.
Impact:
Pros:
Enhances system security by controlling remote access.
Supports compliance with access control policies.
Cons:
Improper configuration may lock out legitimate users or services.
Default Value:
Default sshd configurations allow wide access unless customized.
Pre-requisites:
Root or sudo privileges to modify SSH daemon configuration.
Remediation:
Test Plan:
Using Linux command line:
Review sshd configuration file:
grep -E 'AllowUsers|AllowGroups|DenyUsers|DenyGroups|PermitRootLogin' /etc/ssh/sshd_config
Check for configured access restrictions and authentication methods.
Implementation Plan:
Using Linux command line:
Edit /etc/ssh/sshd_config to enforce access controls, for example:
PermitRootLogin no AllowUsers user1 user2 PasswordAuthentication no PermitEmptyPasswords no
Reload sshd service to apply changes:
systemctl reload sshd
Verify sshd status:
systemctl status sshd
Backout Plan:
Using Linux command line:
Revert changes in /etc/ssh/sshd_config if necessary.
Reload sshd service and verify accessibility.
References