How to prevent unattended SSH connections from remaining connected

April 28, 2020 by No Comments

Preventing idle SSH sessions from remaining connected is an easy way to add a bit more security to secure shell. Find out how.

Protection network security computer and safe your data concept. Laptop working develop coding program with key on keyboard

Image: iStockphoto/marchmeena29

If you’re a Linux admin, you know the value of Secure Shell. Without this tool, you’d be hard-pressed to get much remote administration done on your servers. In fact, you probably SSH into and out of machines all day. Or, you might SSH into a server and inadvertently leave that connection up throughout the day.

And that, my friends, is inviting trouble.

What if you leave that connection up and running and someone happens by your desk while you’re away. That someone could have a seat and have at your server. You do not want that. Or what if you have other users who secure shell into those servers, and you can’t look over their shoulders all day?

This is not something you should leave to chance.

Can you do anything about that? You certainly can. Secure Shell includes a timeout feature that allows you to configure the SSH server such that it will disconnect a user, after a set period of inactivity.

Let me show you how this is done.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

What you’ll need

How to configure Secure Shell for timeouts on the server

Out of the box, the SSH daemon configuration doesn’t configure the necessary options for enabling inactive timeouts. That’s fine because we can easily add them. However, there are two types of configurations we want to take care of. The first is to prevent idle sessions from remaining connected on the server end.

To take care of this, open the configuration file on the server for editing with the command:

sudo nano /etc/ssh/sshd_config

Scroll to the bottom of that file and add the following three lines:

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 2

The default ClientAliveInterval is in seconds. You could also use:

ClientAliveInterval 5m

However, the trick is in the ClientAliveCountMax option. That informs the SSH daemon how many times to count the timeout interval. So if you set ClientAlivecountMax to 2, it would count two times the ClientAliveInterval. If you set ClientAliveInterval to 5m and the ClientAliveCountMax to 2, the total timeout would be 10 minutes.

You could also set the options to:

ClientAliveInterval 10m
ClientAliveCountMax 0

The above configuration would also timeout after 10 minutes of inactivity.

Once you’ve made your configurations, restart the SSH daemon with the command:

sudo systemctl restart sshd

The above configuration will take care of any idle sessions from the server end of things.

How to configure Secure Shell for client timeouts

Now we’re going to set the timeout on the client end. You don’t have to do this as the server setting should take care of idle timeouts. But, if you’re of the overly cautious persuasion, you might want to prevent any client from remaining connected to any remote server, via SSH. Unfortunately, this cannot be set globally on the server, but must be taken care of on the individual clients. 
 
The configuration is handled in the .bashrc file. But instead of going through every user’s ~/.bashrc file, you can do this in the global file with the command:

sudo nano /etc/bash.bashrc

In that file scroll down to the bottom and add the following lines:

TMOUT=300
readonly TMOUT
export TMOUT

The TMOUT option sets the amount of time (in seconds) that an idle connection will be allowed. A configuration of TMOUT=300 will break idle connections after five minutes.

How to test the configuration

Now that you’ve configured the timeout interval, open a new terminal window, connect to any of your remote Linux servers, via SSH, don’t do anything at the terminal. You should be kicked out of the session as soon as the allotted inactive time passes.

And that’s all there is to disconnecting SSH sessions after a period of inactivity. Do this to prevent anyone from being able to pull off various and sundry shenanigans after you (or anyone) has left their desks with an SSH connection up and running.

Also see

Leave a Comment

Your email address will not be published. Required fields are marked *