linux poison RSS
linux poison Email

How To Secure your SSH Server

One security tweak you need to consider is with Open-SSH server. By default, direct logon for root is enabled, which means your just asking for trouble with hackers attempting to break into your Computer. Instead, you can easily disable root access from logging into your SSH server,

Disable Root Access
you'll need to edit the /etc/ssh/sshd_config file using your favorite editor

Once gedit or kate opens, scroll down until you see the following section…
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
Modify PermitRootLogin as shown below:
PermitRootLogin no
This will disable root's access to logon via SSH. Save the file and exit gedit.

Now you'll need to restart the sshd service from a Terminal window using the following command: /etc/init.d/sshd restart

After restarting SSH, try to connect using the root account. Access should be disallowed and you should only be able to log on with your user account. Once you do login, you can access the root account by using the su command.

Decrease SSH Login Grace Time
Another security option you may want to consider, is to lower the LoginGraceTime parameter to about 30 seconds.
LoginGraceTime 30
The login grace time is a period of time where a user may be connected but has not begun the authentication process. By default, sshd will allow a connected user to wait 120 seconds (2 minutes) before starting to authenticate.

By shortening this time, you can decrease the chances of someone attempting a brute force attack against your SSH server from being successfull.

Allow Certain Users SSH Access
By default, SSH will permit every user with an account SSH access. To prevent this, you can use the AllowUsers command to allow access to certain users.

To do this, add the following line in your sshd configuration file under the Authentication section.
AllowUsers usera userb
This will allow only users usera and userb access to login via SSH.

After making the above changes, save the file sshd_config. To allow the changes to become effective immediately, don't forget to restart SSH by running the following command from a Terminal window: /etc/init.d/sshd restart

By making these simple changes to your SSH configuration, it will allow you to increase security by opening up access to your computer for authorized users…and closing the door on hackers.


4 comments:

Anonymous said...

Something that may not be recommended but helpful none the less is letting the SSH listen on another port than 22. There are already many script kiddies around that at the very least spam your ssh-log. Using another port >1024 will stop at least the most basic attacks.

Anonymous said...

Note that you can also specify an IP or even some portion ie a subnet http://sunoano.name/ws/public_xhtml/ssh.html#allow_users_groups

Debianero Rumbero said...

It's a nonsense to use login/password scheme with ssh, it's much more secure to use keys.

Post a Comment

Related Posts with Thumbnails