People used telnet to connect to their machines, but the whole communication between their computers and the remote machine was sent in clear text(unencrypted), making sensitive information available to anyone who knew how to monitor their traffic. They had to find a way to prevent this. So SSH was born.
OpenSSH originally, was created as an open source alternative to the proprietary SSH offered by the Finish company SSH Communications Security but it became very fast a de-facto standard in remote server management in access. Unlike telnet, the whole communication is encrypted, making the process of finding sensitive information by unauthorized people (almost) impossible. Even if someone is able to decrypt the information, that will take a very long period of time (and I’m talking about years and tens of years), making the information useless when the decryption is done.
OpenSSH has many configuration options and authorization mechanisms. Below some config that need to change for secure SSH server.
Login to your shell remote server as root or sudo account.
Let’s check if Openssh is already installed into your machine, execute below command if installed it should give some output with installed version in your system.
rpm -qa | grep ssh
Let’s Close everything on SSH connection.
Edit /etc/hosts.deny
Copy paste shell command:
vi /etc/hosts.deny
#Block SSH except from hosts.allow
sshd: ALL
Save and Quit editor
Now edit /etc/hosts.allow
# Allow this IP to connect to this machine
sshd: 192.168.0.222 (Change this to your IP address)
Save and Quit editor
Now edit /etc/ssh/sshd_config
Change default PORT 22
I suggest you to change to something randomly and higher than 1023, and also make sure that port is not a standard port for another service. You can do this by looking at IANA’s Port Assignments. This will prevent most scriptkiddies from attacking your SSH server and/or generating extra traffic.
Port 1024 (Up to you what port your going to used make sure to check above link)
Change Protocol
Protocol 2
Do not allow root login
Every attacker will want to gain root access into your box. Disabling root access will make the attacker’s life harder, because he first has to find an authorized user, crack into the box, then he has to make smooth to gain root access.
PermitRootlogin no
Make use of Allow/Deny Users/Groups
In most cases, not everyone should access your server remotely. AllowUsers, AllowGroups, DenyUsers and DenyGroups directives helps you to control better who’s going to have remote access to that box.
AllowUsers Juan Bitoy Steve
Save and Quit Editor
Last thing restart sshd service
/etc/init.d/sshd restart
If something missing from the guide let me know.
Note: Everytime you change config to your sshd_config always restart your sshd service so that your new configuration will take effect.