UnixServerAdmin

Server Administration & Management

Hardening SSH Server

As with all security it comes in layers. The more layers you add the more difficult it will be to gain access to your server. One of the first things you will want to do is harden sshd as it is a primary avenue to gaining access to your server.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

# useradd admin

# passwd admin

Step 2: Backup your current sshd_config

# cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.bak

Step 3: Edit  sshd_config file

# vi /etc/ssh/sshd_config

————————————————
## Change to other port is recommended, etc 8875
#Port 22
Port 8875
## Sets listening address on server. default=0.0.0.0
## ListenAddress 192.168.0.1
## Enforcing SSH Protocol 2 only
# Protocol 1,2
Protocol 2
## Disable direct root login, with no you need to login with admin user, then “su -” you into root
#PermitRootLogin Yes
PermitRootLogin no
##
UsePrivilegeSeparation yes
##
AllowTcpForwarding no
## Disables X11Forwarding
X11Forwarding no
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
##
HostbasedAuthentication no
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no
## Adds a login banner that the user can see
Banner /etc/motd
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
## Add users that are allowed to log in
AllowUsers admin
————————————————

Save the Files

Step 4: Add text to MOTD Banner file (/etc/motd)

# vi /etc/motd

Step 5: Restart the SSHD Daemon

# service sshd restart

Advertisements

September 9, 2011 Posted by | Security, SSH | , | Leave a comment