Secure CoreOS Container Linux SSH Daemon on a Public Cloud

If you have ever stood up a Linux server publicly on the internet and watched system logs you will know that it begins to be pounded almost immediately by people looking for a new machine to add to their botnet or use for other nefarious purposes. This is an even bigger problem with the rise of public clouds which has drastically increased the number of servers with public facing SSH daemons enticing the bad guys with a larger target. For this reason, you should never leave the ssh config set to the default when publicly available on the internet. Most are familiar with how to do this on the traditional Linux OSs, but what about the new comer, CoreOS Container Linux? Here I will give some tips on optimizing the SSH configurations on your CoreOS server to make it more secure. 

SSH Keys

First things first, you shouldn’t really be using a password for a server with a public facing SSH daemon. SSH keys are much larger and almost impossible to crack, making them my method of choice for securing SSH connections. If you don’t have one generated on your Mac or Linux machine execute the following command to generate a key pair. This needs to be completed first, otherwise you will be locked out of your machine via ssh.

ssh-keygen -t rsa

This will generate a two files, id_rsa and Adding the keys to an existing CoreOS box is pretty simple. Log in over ssh and execute the below command.

echo '<contents of ~/.ssh/>' | update-ssh-keys -a core

Now that you have an ssh key configured we can move on to securing the daemon.

Securing the SSH Daemon

Now we need to make some configuration changes to the sshd config to turn off all password related authentication functions and disable root login via ssh.

  1. Remove the old templated config symlink: sudo rm -r /etc/ssh/sshd_config
  2. Copy the template into place: sudo cp /usr/share/ssh/sshd_config /etc/ssh/sshd_config
  3. Edit /etc/ssh/sshd_config as sudo and add the following lines to it:
    UsePAM no #Stop processing of keyboard based authentication altogether
    ChallengeResponseAuthentication no #No longer prompt for login.
    PasswordAuthentication no #Turn off password authentication
    PermitRootLogin no #Disable root login altogether

Change Listen Port

To increase security further, you can change the port SSH listens on to something other than 22. This makes it slightly less convenient to log in, but greatly improves security.

  1. Copy SSH socket config to systemd/system sudo cp /usr/lib/systemd/system/sshd.socket /etc/systemd/system/sshd.socket
  2. Edit /etc/systemd/system/sshd.socket as root and change the value of ListenStream to the desired port.
  3. Reload systemd and restart the sshd socket sudo systemctl daemon-reload && sudo systemctl restart sshd.socket

Hopefully, this post has been helpful and will put you a step ahead of the bad guys when deploying Container Linux. Remember, security is a never ending battle that you must always continue to fight.

Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *