Disable Root Access
you'll need to edit the /etc/ssh/sshd_config file using your favorite editor
Once gedit or kate opens, scroll down until you see the following section…
LoginGraceTime 120Modify PermitRootLogin as shown below:
PermitRootLogin yes
StrictModes yes
PermitRootLogin noThis will disable root's access to logon via SSH. Save the file and exit gedit.
Now you'll need to restart the sshd service from a Terminal window using the following command: /etc/init.d/sshd restart
After restarting SSH, try to connect using the root account. Access should be disallowed and you should only be able to log on with your user account. Once you do login, you can access the root account by using the su command.
Decrease SSH Login Grace Time
Another security option you may want to consider, is to lower the LoginGraceTime parameter to about 30 seconds.
LoginGraceTime 30The login grace time is a period of time where a user may be connected but has not begun the authentication process. By default, sshd will allow a connected user to wait 120 seconds (2 minutes) before starting to authenticate.
By shortening this time, you can decrease the chances of someone attempting a brute force attack against your SSH server from being successfull.
Allow Certain Users SSH Access
By default, SSH will permit every user with an account SSH access. To prevent this, you can use the AllowUsers command to allow access to certain users.
To do this, add the following line in your sshd configuration file under the Authentication section.
AllowUsers usera userbThis will allow only users usera and userb access to login via SSH.
After making the above changes, save the file sshd_config. To allow the changes to become effective immediately, don't forget to restart SSH by running the following command from a Terminal window: /etc/init.d/sshd restart
By making these simple changes to your SSH configuration, it will allow you to increase security by opening up access to your computer for authorized users…and closing the door on hackers.
4 comments:
Something that may not be recommended but helpful none the less is letting the SSH listen on another port than 22. There are already many script kiddies around that at the very least spam your ssh-log. Using another port >1024 will stop at least the most basic attacks.
Note that you can also specify an IP or even some portion ie a subnet http://sunoano.name/ws/public_xhtml/ssh.html#allow_users_groups
It's a nonsense to use login/password scheme with ssh, it's much more secure to use keys.
nice info
Post a Comment