Hardening/Securing SSHD (Secure SHell Daemon)
A quick guide on how to secure your sshd. Hope it helps.
Step 1: First of all we need to make a regular user, since we are disabling direct root login:
adduser admin && passwd admin
Step 2: Backup your current sshd_config
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Step 3: Create a new sshd_config file
nano -w /etc/ssh/sshd_config
Step 3.1: Paste this code into the new file
## Change to other port is recommended, etc 2488
Port 22## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1## Enforcing SSH Protocol 2 only
Protocol 2## Disable direct root login, with no you need to login with admin user, then “su -” you into root
PermitRootLogin no##
UsePrivilegeSeparation yes##
AllowTcpForwarding no## Disables X11Forwarding
X11Forwarding no## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes##
HostbasedAuthentication no## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no## Adds a login banner that the user can see
Banner /etc/motd## Enable / Disable sftp server
#Subsystem sftp /usr/libexec/openssh/sftp-server## Add users that are allowed to log in
AllowUsers admin
Control + X to save
Step 4: Verify settings in the sshd_config you created
nano -w /etc/ssh/sshd_config
REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )
Step 5.1: Add text to MOTD Banner file (/etc/motd)
nano -w /etc/motd
Step 5.2: Add this text, or something else of your choice
Private system, please log off.
Step 6: Restart the SSHD Daemon
service sshd restart
Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)
a WordPress rating system
Related posts:
Comments
One Response to “Hardening/Securing SSHD (Secure SHell Daemon)”Trackbacks
Check out what others are saying about this post...[...] Hardening/Securing SSHD (Secure SHell Daemon) [...]