Securing OS X 10.7 sshd

There are many security attacks and threats of attacks against all computers connected to the Internet.  One common threat is to gain access to a computer running sshd by simply trying millions of username and password combinations in what is known as a brute force attack.  Apple ships all versions of OS X with sshd and all other services turned off.  However it is possible to enable sshd by check the checkbox for Remote Login in the Sharing prefernce panel.  Here are the extra steps that should be taken to secure OS X devices against common ssh attacks.

REMEMBER: Never enable anything in the Sharing Control panel including Remote Login unless it can not be avoided and you know when an how it is going to be used.


1) Restrict what ipaddress can ssh to the machine by adding a new hosts.allow file in the /private/etc folder.

Since this is simple to do we recommend you do this even if Remote Login is turned off.  The file is a simple, plain text, file named hosts.allow that is placed in the folder /private/etc . To restrict a machine to ssh connections from NC State campus machines the contents of the file should be:

###

sshd : 152.1. : allow
sshd : 152.7. : allow
sshd : 152.14. : allow
sshd : ALL : deny

###
The restrictions take place immediately after the file is saved.
Note: If access from off campus via the NC State VPN is desired add the following additional line at the top of the file:
###
sshd : 10.136. : allow
###

2) Change what port number is used to allow ssh connections.
All UNIX based machines use some agreed on network port numbers to make connection to other machines.  On OSX 10.7 these are  defined in the plain text file named “services” that is in the /private/etc folder
There are many entries in the services file but we only need to change 4 lines:
Change the section:
###
ssh              22/udp     # SSH Remote Login Protocol
ssh              22/tcp     # SSH Remote Login Protocol
#                          Tatu Ylonen <ylo@cs.hut.fi>
telnet           23/udp     # Telnet
telnet           23/tcp     # Telnet
#                          Jon Postel <postel@isi.edu>
                 24/udp     # any private mail system
                 24/tcp     # any private mail system
#                          Rick Adams <rick@UUNET.UU.NET>
###
to:
###
ssh              24/udp     # SSH Remote Login Protocol
ssh              24/tcp     # SSH Remote Login Protocol
#                          Tatu Ylonen <ylo@cs.hut.fi>
telnet           23/udp     # Telnet
telnet           23/tcp     # Telnet
#                          Jon Postel <postel@isi.edu>
#                 24/udp     # any private mail system
#                 24/tcp     # any private mail system
#                          Rick Adams <rick@UUNET.UU.NET>
###
This changes the port number that both the sshd and the ssh client use by default.
Remember that using the ssh client to connect to another computer will use port 24 by default now as well.
To connect to a system that uses the common port 22 use something like:
ssh username@server.ncsu.edu -p 22

3) Restrict what users can use Remote Login (ssh) to connect to the machine.
This is done in the Sharing System Prefernce Panel by selecting Remote Login and adding a user to the list under Allow Access For section to the right.
Please note: If the computer is bound to a directory such as the NC State Active Directory, then turning on Remote Login without restriction will allow every user in that dirctory to login.  Please restrict Remote Login even it if it not turned on.