Automatically Disconnect Idle or Inactive SSH Sessions (After Few Minutes Of Inactivity)
We have wrote many articles about SSH hardening. Today, we are going to explain another SSH hardening tips, how to disconnect idle or inactive ssh sessions automatically (after few minutes of inactivity).
If you had been working for long time on ssh session and you feel very lazy and you want to move caftarea to had a cup of coffee but you are forgotten to disconnect the ssh session, this is the most important point that has to be noted by every Linux users because its very sensitive issues.
If anyone made some changes over there, then there is noway/option to recover it back. To overcome this kind of situation, i would advise you to follow the below procedure.
How To Configure SSH Automatic Disconnection?
sshd_config file on system which is located at /etc/ssh/sshd_config and modify the below settings to disconnect the SSH idle session after few minutes of inactivity.
find ClientAliveInterval & ClientAliveCountMax on sshd_config file and uncomment the line then add 300 (5 mins) instead of 0 and set ClientAliveCountMax is 0.
# nano /etc/ssh/sshd_config #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed ClientAliveInterval 300 ClientAliveCountMax 0 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none
Restart The SSH session
After modification, just restart the ssh service to take effect. If there is no activity in the user ssh session, it will be disconnected automatically after 5 minutes.
For SysVinit System
# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
For systemd System
# systemctl restart sshd
Check Whether The Experiment working or not?
Everything has been done and we have to check whether this configuration working fine or not by login into two different sessions.
Now, we are going to login with
root credential and leaving the
mageshm session as idle and keep checking this session status continuously in
root session (every mins) to see what will happen. See the below output for better understanding.
# w 12:22:04 up 8 days, 22:16, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 22.214.171.124 11:48 0.00s 0.10s 0.00s w mageshm pts/1 126.96.36.199 12:20 1:06 0.01s 0.01s -bash # w 12:23:05 up 8 days, 22:17, 2 users, load average: 0.05, 0.01, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 188.8.131.52 11:48 0.00s 0.10s 0.00s w mageshm pts/1 184.108.40.206 12:20 2:07 0.01s 0.01s -bash # w 12:24:13 up 8 days, 22:18, 2 users, load average: 0.01, 0.01, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 220.127.116.11 11:48 0.00s 0.10s 0.00s w mageshm pts/1 18.104.22.168 12:20 3:15 0.01s 0.01s -bash # w 12:25:29 up 8 days, 22:20, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 22.214.171.124 11:48 0.00s 0.12s 0.02s w mageshm pts/1 126.96.36.199 12:20 4:31 0.01s 0.01s -bash # w 12:25:57 up 8 days, 22:20, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 188.8.131.52 11:48 0.00s 0.12s 0.00s w mageshm pts/1 184.108.40.206 12:20 4:59 0.01s 0.01s -bash # w 12:26:00 up 8 days, 22:20, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM [email protected] IDLE JCPU PCPU WHAT root pts/0 220.127.116.11 11:48 0.00s 0.12s 0.00s w
The above output shows only one active
root SSH session which is used by root. The other session owned by
mageshm got disconnected automatically after 5 mins of inactivity. That’s why last w command shows only 1 active user.
How It’s working?
This can be done by enabling ClientAliveCountMax and ClientAliveInterval options in sshd_config file.
ClientAliveCountMax – This indicates the total number of client alive message sent by the ssh client without getting any response from the ssh client. By default ClientAliveCountMax is 3 and we are going to set zero (0) to check this experiment. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session.
ClientAliveInterval – This indicates the timeout in X seconds, in my case it’s (300 seconds). After 5 minutes sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
Check mageshm SSH session?
When i cross check the mageshm ssh session, the session was expired and getting below error message.
PuTTY Fatal Error
XServer unexpectedly closed network connection