How to secure SSH?
Best Security Practice
The ideal ssh daemon would only allow login via SSH keys. This setup can easily be configured within WHM >>Manage SSH Keys, where you’ll create a SSH key for you to login with. Once you’ve created your key, and verified that you can login with it, you’ll want to go to WHM >> SSH Password Authorization Tweak, which will disable PasswordAuthentication in /etc/ssh/sshd_config.
Medium-security Configuration
If you have clients on your server that require PasswordAuthentication, you can still lock down SSH pretty well.
Open /etc/ssh/sshd_config in your favorite editor
1
Code:
Disable direct root loginFirst, be sure that you have an alternate user configured in your environment that you can use to login via SSH. This user must also have privileges to “su” to root.
Then, set the “PermitRootLogin” directive to “no”.
Code:
Change the port that sshd listens on
Code:
Be sure to use a port equal to or less than 1024, as these are privileged ports that only root or a super-user can set daemons to listen on. If you were to configure sshd to listen on port 11223, and a user was able to take down sshd, they could then start their own sshd daemon in place of yours.
State which users may login via SSH
If you want to only allow certain users to login via SSH, implement the “AllowUsers” directive:
Code:
This will only allow ‘bob’ and ‘frank’ to login via SSH.
Save and Restart SSH
Now save the file and restart the sshd service:
Code:
The ideal ssh daemon would only allow login via SSH keys. This setup can easily be configured within WHM >>Manage SSH Keys, where you’ll create a SSH key for you to login with. Once you’ve created your key, and verified that you can login with it, you’ll want to go to WHM >> SSH Password Authorization Tweak, which will disable PasswordAuthentication in /etc/ssh/sshd_config.
Medium-security Configuration
If you have clients on your server that require PasswordAuthentication, you can still lock down SSH pretty well.
Open /etc/ssh/sshd_config in your favorite editor
1
Code:
Code:
nano /etc/ssh/sshd_configDisable direct root loginFirst, be sure that you have an alternate user configured in your environment that you can use to login via SSH. This user must also have privileges to “su” to root.
Then, set the “PermitRootLogin” directive to “no”.
Code:
Code:
PermitRootLogin noChange the port that sshd listens on
Code:
Code:
Port 221Be sure to use a port equal to or less than 1024, as these are privileged ports that only root or a super-user can set daemons to listen on. If you were to configure sshd to listen on port 11223, and a user was able to take down sshd, they could then start their own sshd daemon in place of yours.
State which users may login via SSH
If you want to only allow certain users to login via SSH, implement the “AllowUsers” directive:
Code:
Code:
AllowUsers bob frankThis will only allow ‘bob’ and ‘frank’ to login via SSH.
Save and Restart SSH
Now save the file and restart the sshd service:
Code:
Code:
service sshd restart
No comments:
Post a Comment