{Linux Tips} SSH Hardening Edition: Making SSH a Little More Secure 01-04-2015, 05:04 AM
#1
Reposting because it was lost due to europol or something.
In a previous edition of Linux Tips, I went over the process of creating an SSH key pair and using that key to access your remote Linux system without the need for a password (see here for that tip https://www.sinister.ly/Thread-Linux-Tip...ree-Logins)
In this edition of Linux Tips, I want to expand on that information a little bit and actually harden SSH a bit. We'll look at the SSH server configuration file, look at the option to disable password authenticated logins, and maybe even look at how to disable root logins.
For starters, let's pull the SSH server configuration up. This is being demo'd on a CentOS machine, so your file location may vary by distribution.
The config file for SSH server is located at:
TAKE NOTE OF THE "d" in the file name! there are two files very similary named in the /etc/ssh dir. One is ssh_config and the other is sshd_config. The sshd_config file is for the server (D is for daemon) and the ssh_config is for the client.
The config file for sshd is actually commented fairly well, so once you're reading the file, a lot of the settings are explained. To disable password logins, we want to look at the following settings:
Pretty self explanatory, to disable password authentication, change "yes" to "no". Be careful not to break the system Wink
There's another section within the sshd_config ther pertains to root logins:
Setting "PermitRootLogin" to (you know this!) "no" disables root's ability to login via ssh at all!
Once you've made your setting changes you'll need to restart sshd. You can do that by simply running:
as root.
There are several settings within the sshd_config file that can be tweaked, including the port that ssh listens on, the IP, x11forwarding options, and more. Just be sure to restart sshd any time you make changes to the config file. Also, I recommend making a backup of the file BEFORE MAKING ANY CHANGES so that way if something gets broken, you have a known-good copy to use to fix things.
I hope you enjoyed this info, thanks for all the supporters of the Linux Tips series, I plan to continue these as time allows.
In a previous edition of Linux Tips, I went over the process of creating an SSH key pair and using that key to access your remote Linux system without the need for a password (see here for that tip https://www.sinister.ly/Thread-Linux-Tip...ree-Logins)
In this edition of Linux Tips, I want to expand on that information a little bit and actually harden SSH a bit. We'll look at the SSH server configuration file, look at the option to disable password authenticated logins, and maybe even look at how to disable root logins.
For starters, let's pull the SSH server configuration up. This is being demo'd on a CentOS machine, so your file location may vary by distribution.
The config file for SSH server is located at:
Code:
/etc/ssh/sshd_configTAKE NOTE OF THE "d" in the file name! there are two files very similary named in the /etc/ssh dir. One is ssh_config and the other is sshd_config. The sshd_config file is for the server (D is for daemon) and the ssh_config is for the client.
The config file for sshd is actually commented fairly well, so once you're reading the file, a lot of the settings are explained. To disable password logins, we want to look at the following settings:
Code:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yesPretty self explanatory, to disable password authentication, change "yes" to "no". Be careful not to break the system Wink
There's another section within the sshd_config ther pertains to root logins:
Code:
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6Setting "PermitRootLogin" to (you know this!) "no" disables root's ability to login via ssh at all!
Once you've made your setting changes you'll need to restart sshd. You can do that by simply running:
Code:
service sshd restartThere are several settings within the sshd_config file that can be tweaked, including the port that ssh listens on, the IP, x11forwarding options, and more. Just be sure to restart sshd any time you make changes to the config file. Also, I recommend making a backup of the file BEFORE MAKING ANY CHANGES so that way if something gets broken, you have a known-good copy to use to fix things.
I hope you enjoyed this info, thanks for all the supporters of the Linux Tips series, I plan to continue these as time allows.
---
Click here to get started with Linux!
If I helped you, please +rep me, apparently we've started over on Rep and I'd like to break 100 again...
Click here to get started with Linux!
If I helped you, please +rep me, apparently we've started over on Rep and I'd like to break 100 again...
Inori Wrote: got clickbaited by roger
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
