Configuring the SSH Server

You must configure an SSH server before you can use HSTS. To increase the security, configure transfer-server authorization to use a host-key fingerprint.

SSH configuration

Configure SSH for use with HSTS.

About this task

The file that is used in the following steps is: 
/etc/ssh/sshd_config

Procedure

  1. Open the SSH configuration file /etc/ssh/sshd_config.
  2. Disable SSH tunneling.
    Add the following lines to the end of the file (or modify them if they already exist): 
    AllowTcpForwarding no

    Depending on your sshd_config file, you might have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable if necessary.

  3. Update authentication methods. Disable agent forwarding, which is enabled by default.
    Add the following to your SSH configuration file: 
    AllowAgentForwarding no
  4. Update authentication methods
    Public key authentication can prevent brute-force SSH attacks if all password-based authentication methods are disabled. For this reason, disable password authentication in your SSH configuration file and enable private and public key authentication.
    Note: Before you proceed, configure at least one nonroot, nontransfer user with a public key to use to manage the server. This is because in other server-securing steps, root login is disabled and the transfer users are restricted to aspshell, which does not allow interactive login. This user and public key is what you use to access and manage the server as an administrator. 
    PubkeyAuthentication yes
PasswordAuthentication no
    Note: If you choose to leave password authentication enabled, be sure to advise account creators to use strong passwords and set PermitEmptyPasswords to no. 
    PermitEmptyPasswords no
  5. If SSH is not going to be used for other purposes on your system, consider restricting use to an explicit list of allowed HSTS users. By default all users are allowed to log in using the OpenSSH service.
    Attention: If you are on a Windows Domain, you must use the AllowUsers and AllowGroups configuration options to limit access to the server.
    Use the AllowUsers directive in your SSH configuration file. For example, 
    AllowUsers xfer1 xfer2 xfer3
  6. For optimal security, configure SSH to use strong ciphers and MACs, such as the AES and HMAC SHA2 variants. Use the sshd_config directives Ciphers and MACs. Be sure to check which ciphers and MACs are supported by your version of OpenSSH.
    For example, 
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
  7. The SFTP subsystem is not used by HSTS. If you don't need the SFTP, you can disable it.
  8. Disable root login.
    CAUTION: This step disables root access. Before you do so, make sure that you have at least one user account with sudo privileges before continuing, otherwise you might not have access to administer your server.
    By default, OpenSSH allows root logins. However, disabling root access helps maintain a more secure server. Disable root access by changing the PermitRootLogin assignment to no. 
    PermitRootLogin no

    Administrators can use the su command when root privileges are necessary.

  9. Start the SSH server to apply the new settings. 
    $ sudo stopsrc -s sshd 
$ sudo startsrc -s sshd

    Restarting your SSH server does not affect currently connected users.

  10. If you enabled logging, review your logs periodically for evidence of attacks.

Changing the TCP port number

SSH servers listen for incoming connections on TCP Port 22 by default. As such, Port 22 is subject to numerous unauthorized login attempts by hackers who attempt to access unsecured servers. An effective deterrent is to close Port 22 and run the service on a seemingly random port in the range 1024 - 65535. To standardize the port for use in Aspera transfers, set the TCP port to 33001 and close TCP/22.

About this task

Prerequisites:

  • Before changing the default port for SSH connections, verify with your network administrators that TCP/33001 is open.
  • Before closing port TCP/22, notify the users of the change.

Notifying users - How to specify TCP/33001

Aspera recognizes that disabling the default SSH connection port (TCP/22) might affect your clients. When you change the port, ensure that you advise your users on how to configure the new port number, from the GUI (if available and used) and from the command line.

  • GUI: Click Connections and select the entry for the server whose ports you are changing. On the Connection tab, click Show Advanced Settings and in the SSH Port (TCP) field enter 33001.
  • Command line: Clients running transfers from the command line can specify the port by using the ascp -P 33001 option.

Changing to TCP/33001

The following steps require root privileges.

Procedure

  1. Open the SSH configuration file /etc/ssh/sshd_config.
  2. Add the TCP/33001 SSH port and close TCP/22.
    Comment out the line for Port 22 and add a line for Port 33001: 
    #Port 22 
Port 33001

    When this setting takes effect:

    • Aspera clients must set the transfer port to 33001 in the GUI, or from the command line use the ascp -P 33001 option.
    • Server administrators must use ssh -p 33001 to access the server through SSH.

Configuring transfer server authentication with a host-key fingerprint

Configure the transfer-server authorization to use a host key fingerprint to prevent server impersonation and man-in-the-middle (MITM) attacks. Aspera clients can verify the server's authenticity before starting a transfer by comparing the trusted SSH host key fingerprint, which is obtained directly from the server admin or through an Aspera client web application, with the host key fingerprint that is returned when the connection is made.

Procedure

  1. Open the SSH configuration file /etc/ssh/sshd_config and set the appropriate SSH key type.
    The HostKey directive can be set to specify various SSH key types. The type that you choose must conform to the requirements of the server's intended clients.
    If you are going to use the server with any of the following product releases, you must modify your configuration to use RSA encryption. If you do not, you can get an error for mismatched fingerprints, and your transfers fails:
    • IBM® Aspera Connect
    • IBM Aspera Command Line Interface (ascli)
    • IBM Aspera Cargo
    HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
    If you are going to use your server with later versions of these clients, then use the following configuration: 
    #HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
  2. Restart the SSH server to apply new settings.
    The commands for System D and System V (init.d) systems are: 
    # systemctl restart sshd.service 
    # service sshd restart
  3. Restart the noded service to activate your changes.
    Run the following commands to restart the Aspera Node Service:
    > /etc/rc.d/init.d/asperanoded restart

Configuring the SSH host-key

Procedure

  1. Set the host key fingerprint or path in the transfer server's aspera.conf file. If you set the host key path, the fingerprint is retrieved from the key file automatically rather than manually.

    Set the host key path

    1. To set the SSH host key path instead of the fingerprint, from which the fingerprint is automatically retrieved, run the following command: 
      # asconfigurator -x "set_server_data;ssh_host_key_path,ssh_key_filepath"

      This command creates a line similar to the following example of the <server> section of aspera.conf:

      <ssh_host_key_path>/etc/ssh/ssh_host_rsa_key.pub</ssh_host_key_path>

    Retrieve and set the host key fingerprint

    1. Retrieve the server's SHA-1 fingerprint. 
      # cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 --decode | sha1sum | awk '{print $1}'
    2. Set the SSH host key fingerprint in aspera.conf. 
      # asconfigurator -x "set_server_data;ssh_host_key_fingerprint,fingerprint"
      This command creates a line similar to the following example of the <server> section of aspera.conf: 
      <ssh_host_key_fingerprint>8e6371caacdfb9d7228680132a7cd72a685320a2</ssh_host_key_fingerprint>
  2. Restart the node service to activate your changes.
    Run the following commands to restart the Aspera Node Service:
    > /etc/rc.d/init.d/asperanoded restart