Node Security Breakdown: SSH Hardening

Root Login Disabled

There is no good argument for root being directly accessible via ssh. You can login to any user via ssh and then switch user to root if you have its password. Setting

PermitRootLogin no

And restarting sshd service will block loging in as root via ssh..

[bg_collapse view=”button-blue” color=”#72777c” icon=”eye” expand_text=”Show More” collapse_text=”Show Less” ]
[asciinema id=”545″]

Disable Empty Passwords

Just like there is no good reason for root to have direct ssh access there is no good argument to allow users with empty passwords to login via ssh, or otherwise. We will settle for disabling empty passwords for ssh access, but you can do the same for the console as well. Setting

PermitEmptyPasswords no

and restarting sshd service will prevent logging in via ssh as an account with an empty password.

[bg_collapse view=”button-blue” color=”#72777c” icon=”eye” expand_text=”Show More” collapse_text=”Show Less” ]
[asciinema id=”548″]

Disable Password Authentication (ie. SSH Keys Required)

Disabling password authentication means for remote access you need an ssh key. This can be enabled by simply setting

ChallengeResponseAuthentication yes

and restarting sshd service will require ssh keys for logging in.

[bg_collapse view=”button-blue” color=”#72777c” icon=”eye” expand_text=”Show More” collapse_text=”Show Less” ]
[asciinema id=”550″]

Least Privileges / Role Separation

  • Access Account
  • Service Account
Access Account
  • Has SSH public Keys installed in authorized_keys
  • Is the primary account you access the node from
  • Has no sudo permissions, cannot restart node, etc.
  • Must su – to root & Service Account
Service Account
  • Has no SSH Keys installed in authorized_keys
  • Cannot be logged into via ssh as password authentication is disabled
  • Has limited sudo permissions which only allow it to restart your systemd service unit for the node, sendmytip, etc.

The separation of roles and privileges mean that if your ssh keys and its passphrase are compromised they provide access to a non privileged account. While the attacker has gained local shell, they either need your service account password, root account password or find a local exploit the system is vulnerable to. This may provide just enough time to evict the attacker and re-secure the server before they get access to your node, wallets, etc.

If you appreciate out content consider donating
Cardano [ADA]: addr1qy4dsxzsv8ugujxwwzaakmhffnj28p3kht9kp6zsdsr63qy2rnwgwxsr44p308nc983nav4ylt62p88agrj0cxvqvy2qwfjaye
Bitcoin [BTC]: bc1qe8z6xd5a2vfwqfxy0efllu6ausjkehfjhnlzcd
Ethereum [ETH, ERC20]: 0xf8DA14868c18a489f2b4656e7500510ac44471A6
Litecoin [LTC]: ltc1qa4qqx2vhd8nacwuksnhrnmxak8kxqs08kx87aa

Stake Pool Details