The best way of Securing your server via ssh is to let connection just from ssh key.
So how we do that ?
Generate a ssh key pair on your computer
now youll have 2 files id_rsa & id_rsa.pub
so what you have to do is change the id_rsa.pub to authorized_keys
# mv id_rsa.pub authorized_keys
Go to your server via ssh try to connect somewhere with ssh just so that you
create a .ssh folder on your home folder, or you can even do it manually than get back to your pc and:
# scp authorized_keys firstname.lastname@example.org:/home/user/.ssh/
You can do that also to root but anyway.
Now connect to your server and restart ssh
# sudo /etc/init.d/ssh restart
Note: Test your ssh-key if it’s working
Now go and edit sshd_config to block password auth to your server.
# sudo nano /etc/ssh/sshd_config
What you have to do now is find these lines written below and make them as you see them here:
Port 22 > change it from 22 to whatever you want Protocol 2 > make sure it's 2 PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication no UsePrivilegeSeparation yes
If you also want to prevent SSH from setting up TCP port and X11 forwarding if you don’t need it:
AllowTcpForwarding no X11Forwarding no
Make sure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user’s home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won’t be able to login.
This could be also necessary that all host-based authentications are disabled. These methods should be avoided as primary authentication.
IgnoreRhosts yes HostbasedAuthentication no RhostsRSAAuthentication no
ChallengeResponseAuthentication no UsePam no
thats it now everything is blocked.
Note: before doing this please make sure your ssh-key is working properly.
Restart ssh and your good to go !
Note: If you changed your port from 22 to example 123
You should connect like this:
# ssh -p 123 email@example.com