Hardening/Securing SSHD (Secure SHell Daemon)

A quick guide on how to secure your sshd. Hope it helps.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

adduser admin && passwd admin

Step 2: Backup your current sshd_config

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Step 3: Create a new sshd_config file

nano -w /etc/ssh/sshd_config

Step 3.1: Paste this code into the new file

## Change to other port is recommended, etc 2488
Port 22

## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1

## Enforcing SSH Protocol 2 only
Protocol 2

## Disable direct root login, with no you need to login with admin user, then “su -” you into root
PermitRootLogin no

##
UsePrivilegeSeparation yes

##
AllowTcpForwarding no

## Disables X11Forwarding
X11Forwarding no

## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes

## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes

##
HostbasedAuthentication no

## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no

## Adds a login banner that the user can see
Banner /etc/motd

## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server

## Add users that are allowed to log in
AllowUsers admin

Control + X to save

Step 4: Verify settings in the sshd_config you created

nano -w /etc/ssh/sshd_config

REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )

Step 5.1: Add text to MOTD Banner file (/etc/motd)

nano -w /etc/motd

Step 5.2: Add this text, or something else of your choice

Private system, please log off.

Step 6: Restart the SSHD Daemon

service sshd restart

Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)