Monday, September 26, 2011

News Feed Comments
You are here: Home / cPanel / Hardening/Securing SSHD (Secure SHell Daemon)

Hardening/Securing SSHD (Secure SHell Daemon)

October 18, 2009 by  
Filed under cPanel, Direct Admin, General, Kloxo, Plesk, Webmin

Leave a Comment

A quick guide on how to secure your sshd. Hope it helps.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

adduser admin && passwd admin

Step 2: Backup your current sshd_config

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Step 3: Create a new sshd_config file

nano -w /etc/ssh/sshd_config

Step 3.1: Paste this code into the new file

## Change to other port is recommended, etc 2488
Port 22

## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1

## Enforcing SSH Protocol 2 only
Protocol 2

## Disable direct root login, with no you need to login with admin user, then “su -” you into root
PermitRootLogin no

##
UsePrivilegeSeparation yes

##
AllowTcpForwarding no

## Disables X11Forwarding
X11Forwarding no

## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes

## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes

##
HostbasedAuthentication no

## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no

## Adds a login banner that the user can see
Banner /etc/motd

## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server

## Add users that are allowed to log in
AllowUsers admin

Control + X to save

Step 4: Verify settings in the sshd_config you created

nano -w /etc/ssh/sshd_config

REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )

Step 5.1: Add text to MOTD Banner file (/etc/motd)

nano -w /etc/motd

Step 5.2: Add this text, or something else of your choice

Private system, please log off.

Step 6: Restart the SSHD Daemon

service sshd restart

Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)

GD Star Rating
a WordPress rating system
Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Related posts:

  1. Secure and Optimize your Virtual Private Server (VPS)
  2. DoS Protection via APF, BFD, DDOS and RootKit
  3. Enabling passive ftp in Pure-FTPd
  4. Configuring your Firewall for Webmin
  5. MySQL database import-export from Shell
Sources: http://www.securecentos.com/basic-security/hardening-sshd/

Tags: control x, login banner, , private system, rhosts, root login, server default, ssh client, sshd daemon, world writable

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
Click here to cancel reply.