Cygwin - Security

Written: 03/24/12

Last Updated: 07/28/13

This guide is the third part of my Cygwin SSH server series and assumes that the first two guides have already been completed. If you are just now joining in on this series, the first article can be found here. This article focuses on how to make the server more secure by editing some of the settings found in the sshd_config and ssh_config files. The sshd_config file is the “sshd server system-wide configuration file” and the ssh_config file is the “ssh client system-wide configuration file”. As the header in the files points out, the commented values, noted by a “#”, are the default settings. In this tutorial, I will uncomment some of those, to emphasize their importance.

Begin by running your favorite text editor from a Cygwin console. I prefer to use nano, so that is what will be used in this tutorial. If you are unfamiliar with nano, you can simply read the manpage on it by executing the command “man nano”. From the Cygwin console execute the below command.

nano /etc/sshd_config

cygwin-security-1

The first thing that we will change will be the port number. Running the service on a nonstandard port is an easy way to avoid simple port scanners. Make sure to use a high-value port number. You can find a list of ports and their default assignments here. To be sure that your port assignment will not conflict with another assignment, use an unassigned port. To make this change, simply edit the line shown in the picture below to your port assignment. For this example, I use the port 8895.

before:

cygwin-security-2
after:
cygwin-security-3

It is very important that you force the use of SSH protocol 2 only, as SSH protocol 1 has some major security flaws. This is already the default, but I will emphasize this.

before:

cygwin-security-4
after:
cygwin-security-5

The last thing you want is someone to try to attack your root account and gain access to your server. An easy fix to that is by simply disabling root logins, as shown in the picture below.

before:

cygwin-security-6
after:
cygwin-security-7

If you wish you can change the max number of failed connection attempts as well as the max number of consecutive login sessions.

before:

cygwin-security-8
after:
cygwin-security-9

Public key authentication will allow for a more secure way to login to the server. This involves using a key pair, and gets rid of the need for using a password at login.

before:

cygwin-security-10
after:
cygwin-security-11

If you also wish to use the default, standard way of password authentication, it is extremely important to disallow empty passwords. As you can image, this would be an easy way for a cracker to gain access to your precious server.

before:

cygwin-security-12
after:
cygwin-security-13

Make sure that privilege separation is enabled.

cygwin-security-14

To exit nano and save your changes press CTRL+X, then Y, and then Enter.

cygwin-security-15cygwin-security-16

Before those changes can take place, the server must be restarted. An easy way to do that is to first stop and then start it again. That can be done by issuing the below commands.

net stop sshd
net start sshd

cygwin-security-22

This concludes the basic security settings for Cygwin. The next article in the series covers how to create a Windows user group. Click here to go to that article.

Leave a Reply