[TUT] Securing SSH a bit ;)

[.:Raymond:.]

Hi,

Here is a little tut I made cause I got bored . Enjoy

Step 1 : Add a Regular User

Code: 

adduser sshadmin && passwd sshadmin

*Note* After entering this command you will be prompted to enter a password.

Step 2 : Backup your current sshd_config

Code: 

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Step 3 : Create a new sshd_config file

Code: 

nano -w /etc/ssh/sshd_config

Step 4 : Paste this into the new file.

Code: 

## Change to other port is recommended, etc 2488
Port 22
 
## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1
 
## Enforcing SSH Protocol 2 only
Protocol 2
 
## Disable direct root login, with no you need to login with admin user, then "su -" you into root
PermitRootLogin no
 
##
UsePrivilegeSeparation yes
 
##
AllowTcpForwarding no
 
## Disables X11Forwarding
X11Forwarding no
 
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
 
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
 
##
HostbasedAuthentication no
 
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. 
RhostsRSAAuthentication no
 
## Adds a login banner that the user can see
Banner /etc/motd
 
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
 
## Add users that are allowed to log in
AllowUsers sshadmin

The port number should be changed to something else (Example : 2194
Ctrl + x to save it now.


Step 5 : Restart SSHD

Code: 

service sshd restart

*Note* Do not close your current ssh window in case of problems

Now open a new ssh window and try connecting with the port and the user you added. Once you are logged into type su - and it will ask you for root pass. Once you enter it correctly blamo your in

.:Raymond:. Reviewed by .:Raymond:. on 28th May 2011. [TUT] Securing SSH a bit ;) Hi, Here is a little tut I made cause I got bored :P. Enjoy Step 1 : Add a Regular User adduser sshadmin && passwd sshadmin *Note* After entering this command you will be prompted to enter a password. Step 2 : Backup your current sshd_config Rating: 5

[ShareShiz]

nice. hope people use this to be more secure.

[QuickSand]

ya ur security seems to be the best

but seriously thanks for the effort

[.:Raymond:.]

@ShareShiz

why fail o.O

[.:Raymond:.]

@QuickSand

being sarcastic

[NoEnD]

Thanks!

And i'm commenting out "Banner /etc/motd" too skip displays stats of server twice.

[TippiE]

basic ssh security, everyone should do this!
nice one mate

[.:Raymond:.]

Thanks tippie

[Motion]

Long description. I think almost all SSH pros using this method.
It's very easy to do if you are using kloxo panel. login to panel and change ssh port. that's all

Hi,

Here is a little tut I made cause I got bored . Enjoy

Step 1 : Add a Regular User

Code: 

adduser sshadmin && passwd sshadmin

*Note* After entering this command you will be prompted to enter a password.

Step 2 : Backup your current sshd_config

Code: 

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Step 3 : Create a new sshd_config file

Code: 

nano -w /etc/ssh/sshd_config

Step 4 : Paste this into the new file.

Code: 

## Change to other port is recommended, etc 2488
Port 22
 
## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1
 
## Enforcing SSH Protocol 2 only
Protocol 2
 
## Disable direct root login, with no you need to login with admin user, then "su -" you into root
PermitRootLogin no
 
##
UsePrivilegeSeparation yes
 
##
AllowTcpForwarding no
 
## Disables X11Forwarding
X11Forwarding no
 
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
 
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
 
##
HostbasedAuthentication no
 
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. 
RhostsRSAAuthentication no
 
## Adds a login banner that the user can see
Banner /etc/motd
 
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
 
## Add users that are allowed to log in
AllowUsers sshadmin

The port number should be changed to something else (Example : 2194
Ctrl + x to save it now.


Step 5 : Restart SSHD

Code: 

service sshd restart

*Note* Do not close your current ssh window in case of problems

Now open a new ssh window and try connecting with the port and the user you added. Once you are logged into type su - and it will ask you for root pass. Once you enter it correctly blamo your in

[.:Raymond:.]

@motion
disabling direct root login and adding the regular user is also a good security measure.