The SSH server configuration file is located in /etc/ssh/sshd_conf.
You need to restart the SSH service after every change you make to that
file in order for changes to take effect.
*Change SSH listening port*
By default, SSH listens for connections on port 22. Attackers use port
scanner software to see whether hosts are running an SSH service. It's
wise to change the SSH port to a number higher than 1024 because most
port scanners (including nmap) by default don't scan high ports.
Open the /etc/ssh/sshd_config file and look for the line that says:
Port 22
Change the port number and restart the SSH service:
/etc/init.d/ssh restart
*Allow only SSH protocol 2*
There are two versions of the SSH protocol. Using SSH protocol 2 only is
much more secure; SSH protocol 1 is subject to security issues including
man-in-the-middle and insertion attacks. Edit /etc/ssh/sshd_config and
look for the line that says:
Protocol 2,1
Change the line so it says only protocol 2.
*Allow only specific users to log in via SSH*
You should not permit root logins via SSH, because this is a big and
unnecessary security risk. If an attacker gains root login for your
system, he can do more damage than if he gains normal user login.
Configure SSH server so that root user is not allowed to log in. Find
the line that says:
PermitRootLogin yes
Change yes to no and restart the service. You can then log in with any
other defined user and switch to user root if you want to become a
superuser.
It is wise to create a dummy local user with absolutely no rights on the
system and use that user to login into SSH. That way no harm can be done
if the user account is compromised. When creating this user, make sure
it's in the wheel group, so that you can switch to superuser.
If you would like to have a list of users who are the only ones able to
log in via SSH, you can specify them in the sshd_config file. For
example, let's say I want to allow users anze, dasa, and kimy to log in
via SSH. At the end of sshd_config file I would add a line like this:
AllowUsers anze dasa kimy
*Create a custom SSH banner*
If you would like any user who connects to your SSH service to see a
specific message, you can create a custom SSH banner. Simply create a
text file (in my example in /etc/ssh-banner.txt) and put any kind of
text message in it; for example:
*****************************************************************
*This is a private SSH service. You are not supposed to be here.*
*Please leave immediately. *
*****************************************************************
When done editing, save the file. In the sshd_conf file, find a line
that says:
#Banner /etc/issue.net
Uncomment the line and change the path to your custom SSH banner text file.
No comments:
Post a Comment