[How To] Securing SSH Connection

[How To] Securing SSH Connection

Posted by on Sep 16, 2011 in Manuals, HOWTOs, Network, Security | 0 comments


This how to helps you to create secure connection via ssh between your unix and linux systems. All examples written for RedHat based systems. Also we assume that you already have installed openssh server and running, if not do this steps:

small http://tinyurl.com/t0inpay

Configuration files

SSH configuration file

/etc/ssh/sshd_config

Access control tcpwrapper configuration files

/etc/hosts.allow
/etc/hosts.deny

denyhosts configuration file

/etc/denyhosts.conf

Install open-ssh server

Installing (Fedora)

yum install openssh-server

Running

/etc/init.d/sshd start

Securing SSH

  1. Choose a strong password

    Don’t make it easy for hackers to guess your password.

    You can use password generator to generate strong passwords

  2. Install “DenyHosts” to auto-block bad clients

    Installing the “denyhosts” server which watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf:

    You can install denyhosts by this steps

    yum install denyhosts
chkconfig denyhosts on
/etc/init.d/denyhosts start

  3. Change the default port

    Most cracking attempts on your ssh server come from automated scripts that use port 22. For changing default 22 port edit /etc/ssh/sshd_config file 

    vim /etc/ssh/sshd_config

    and change the line which reads “Port 22″ to any other unused port (ex. 2223).

    #Port 22
Port 2223

  4. Disable Protocol 1 which is insecure and allow Protocol 2

    #Protocol 2,1
Protocol 2

  5. Disable root login

    #PermitRootLogin yes
PermitRootLogin no

  6. Allow only specific users to login

    For example, to allow only the users “john”, “Jack” and users atarting “ge” to login, add the this line to sshd_config:

    AllowUsers john jack ge*

  7. Allow only specific IP addresses to connect

    Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:

    sshd: ALL

    Add to /etc/hosts.allow the network you want to allow. For example, add the following to /etc/hosts.allow:

    sshd: 192.168.2.0/255.255.255.0
sshd: 10.0.10.0/255.0.0.0
sshd: 141.32.69.102

  8. Allow only users with keys to connect; no passwords allowed

    in sshd_config change

    PasswordAuthentication no

    Bind the ssh server to a specific network interface – Edit sshd_config:

    ListenAddress 192.168.2.12

  9. Reduce the number of attempts to enter the password.

    in sshd_config change 

    MaxAuthTries

[Related posts]

[Manual] Creating Transparent Proxy With squid and IPTables
For creating transparent proxy we need edit squid.conf and add iptables rules. Edit /etc/squid.conf file with your favorite editor, example vi vi /etc/squid.conf Add or...
File Server With Samba and FTP in FreeBSD
This manual describes how to create file server, where users from can access their files with samba client and FTP server, (from windows too). In...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>