UnixServerAdmin

Server Administration & Management

Hardening SSH Server

As with all security it comes in layers. The more layers you add the more difficult it will be to gain access to your server. One of the first things you will want to do is harden sshd as it is a primary avenue to gaining access to your server.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

# useradd admin

# passwd admin

Step 2: Backup your current sshd_config

# cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.bak

Step 3: Edit  sshd_config file

# vi /etc/ssh/sshd_config

————————————————
## Change to other port is recommended, etc 8875
#Port 22
Port 8875
## Sets listening address on server. default=0.0.0.0
## ListenAddress 192.168.0.1
## Enforcing SSH Protocol 2 only
# Protocol 1,2
Protocol 2
## Disable direct root login, with no you need to login with admin user, then “su -” you into root
#PermitRootLogin Yes
PermitRootLogin no
##
UsePrivilegeSeparation yes
##
AllowTcpForwarding no
## Disables X11Forwarding
X11Forwarding no
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
##
HostbasedAuthentication no
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no
## Adds a login banner that the user can see
Banner /etc/motd
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
## Add users that are allowed to log in
AllowUsers admin
————————————————

Save the Files

Step 4: Add text to MOTD Banner file (/etc/motd)

# vi /etc/motd

Step 5: Restart the SSHD Daemon

# service sshd restart

Advertisements

September 9, 2011 - Posted by | Security, SSH | ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: