[How To] Securing SSH Connection

| September 16, 2011 | How To | No Comments

This how to helps you to create secure connection via ssh between your unix and linux systems. All examples written for RedHat based systems. Also we assume that you already have installed openssh server and running, if not do this steps:

Configuration files

SSH configuration file

/etc/ssh/sshd_config

Access control tcpwrapper configuration files

/etc/hosts.allow
/etc/hosts.deny

denyhosts configuration file

/etc/denyhosts.conf

Install open-ssh server

Installing (Fedora)

yum install openssh-server

Running

/etc/init.d/sshd start

Securing SSH

  1. Choose a strong password

    Don’t make it easy for hackers to guess your password.

    You can use password generator to generate strong passwords

  2. Install “DenyHosts” to auto-block bad clients

    Installing the “denyhosts” server which watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf:

    You can install denyhosts by this steps

    yum install denyhosts
chkconfig denyhosts on
/etc/init.d/denyhosts start

  3. Change the default port

    Most cracking attempts on your ssh server come from automated scripts that use port 22. For changing default 22 port edit /etc/ssh/sshd_config file 

    vim /etc/ssh/sshd_config

    and change the line which reads “Port 22” to any other unused port (ex. 2223).

    #Port 22
Port 2223

  4. Disable Protocol 1 which is insecure and allow Protocol 2

    #Protocol 2,1
Protocol 2

  5. Disable root login

    #PermitRootLogin yes
PermitRootLogin no

  6. Allow only specific users to login

    For example, to allow only the users “john”, “Jack” and users atarting “ge” to login, add the this line to sshd_config:

    AllowUsers john jack ge*

  7. Allow only specific IP addresses to connect

    Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:

    sshd: ALL

    Add to /etc/hosts.allow the network you want to allow. For example, add the following to /etc/hosts.allow:

    sshd: 192.168.2.0/255.255.255.0
sshd: 10.0.10.0/255.0.0.0
sshd: 141.32.69.102

  8. Allow only users with keys to connect; no passwords allowed

    in sshd_config change

    PasswordAuthentication no

    Bind the ssh server to a specific network interface – Edit sshd_config:

    ListenAddress 192.168.2.12

  9. Reduce the number of attempts to enter the password.

    in sshd_config change 

    MaxAuthTries
Tags:,

Related Posts

About The Author

lc-root

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.