Monday, September 26, 2011

Hardening/Securing SSHD (Secure SHell Daemon)

October 18, 2009 by  
Filed under cPanel, Direct Admin, General, Kloxo, Plesk, Webmin

Leave a Comment

A quick guide on how to secure your sshd. Hope it helps.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

adduser admin && passwd admin

Step 2: Backup your current sshd_config

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Step 3: Create a new sshd_config file

nano -w /etc/ssh/sshd_config

Step 3.1: Paste this code into the new file

## Change to other port is recommended, etc 2488
Port 22

## Sets listening address on server. default=

## Enforcing SSH Protocol 2 only
Protocol 2

## Disable direct root login, with no you need to login with admin user, then “su -” you into root
PermitRootLogin no

UsePrivilegeSeparation yes

AllowTcpForwarding no

## Disables X11Forwarding
X11Forwarding no

## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes

## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes

HostbasedAuthentication no

## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no

## Adds a login banner that the user can see
Banner /etc/motd

## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server

## Add users that are allowed to log in
AllowUsers admin

Control + X to save

Step 4: Verify settings in the sshd_config you created

nano -w /etc/ssh/sshd_config


Step 5.1: Add text to MOTD Banner file (/etc/motd)

nano -w /etc/motd

Step 5.2: Add this text, or something else of your choice

Private system, please log off.

Step 6: Restart the SSHD Daemon

service sshd restart

Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)

GD Star Rating
a WordPress rating system
Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Related posts:

  1. Secure and Optimize your Virtual Private Server (VPS)
  2. DoS Protection via APF, BFD, DDOS and RootKit
  3. Enabling passive ftp in Pure-FTPd
  4. Configuring your Firewall for Webmin
  5. MySQL database import-export from Shell

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
Click here to cancel reply.