Securing SSH

The best way of Securing your server via ssh is to let connection just from ssh key.
So how we do that ?
Generate a ssh key pair on your computer

# ssh-keygen

now youll have 2 files id_rsa & id_rsa.pub
so what you have to do is change the id_rsa.pub to authorized_keys

# mv id_rsa.pub authorized_keys

Go to your server via ssh try to connect somewhere with ssh just so that you
create a .ssh folder on your home folder, or you can even do it manually than get back to your pc and:

# scp authorized_keys user@example.com:/home/user/.ssh/

You can do that also to root but anyway.

Now connect to your server and restart ssh

# sudo /etc/init.d/ssh restart

Note: Test your ssh-key if it’s working

Now go and edit sshd_config to block password auth to your server.

# sudo nano /etc/ssh/sshd_config

What you have to do now is find these lines written below and make them as you see them here:

Port 22 > change it from 22 to whatever you want
Protocol 2 > make sure it's 2
PermitRootLogin no
PermitEmptyPasswords no
PasswordAuthentication no
UsePrivilegeSeparation yes

If you also want to prevent SSH from setting up TCP port and X11 forwarding if you don’t need it:

AllowTcpForwarding no
X11Forwarding no

Make sure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user’s home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won’t be able to login.

StrictModes yes

This could be also necessary that all host-based authentications are disabled. These methods should be avoided as primary authentication.

IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no

then also:

ChallengeResponseAuthentication no
UsePam no

thats it now everything is blocked.
Note: before doing this please make sure your ssh-key is working properly.
Restart ssh and your good to go !

Note: If you changed your port from 22 to example 123
You should connect like this:

# ssh -p 123 user@yourserver.com
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s