How to install, config and secure openssh server
OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including username and password) over the wire in unencrypted form, and provides host authentication, to verify that you really are talking to the system that you think you are and that no one else can take over that session. Currently OpenSSH can be used with OpenBSD, NetBSD, FreeBSD, AIX, HP-UX, IRIX, Linux, NeXT, SCO, SNI/Reliant Unix, Solaris, Digital Unix/Tru64/OSF, Mac OS X, Cygwin.
Install OpenSSH
You will want your system can both receive and make connections via OpenSSH, so you will need to install server and client packages
For Ubuntu, Mint, or Debian based distributions
# apt-get install openssh openssh-server openssh-clients
For Fedora, Centos, or Red Hat based distributions
# yum install openssh openssh-server openssh-clients
Config and Secure OpenSSH
Default openssh config files
/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.
Default openssh port
TCP 22
There are a few tweaks and changes before you open up your ssh server to connections from the outside world.
1. Disable OpenSSH server
You should disable and remove openssh on machines that you don’t need connections to, like workstation, laptop
For Ubuntu, Mint, or Debian based distributions
# apt-get remove openssh-server
For Fedora, Centos, or Red Hat based distributions
# chkconfig sshd off # yum erase openssh-server
You will need to update and restart your iptables if you have one to remove ssh exception rule.
# nano /etc/sysconfig/iptables
2. Only Use SSH Protocol 2
Make sure its in your openssh server config file
Protocol 2
3. Limit access to ssh server
Only allow certain user/users to access your ssh server and deny user/users you don’t want to access to ssh server.
To allow user/users, add this to sshd_config
AllowUsers tom marry mike
To deny
DenyUsers root jenny
Personally i highly suggest you deny root user on ssh server and ssh with normal unprivileged user, then you can become root after that.
To become root you can use su command
For Ubuntu, Mint, or Debian based distributions
$ sudo su
For Fedora, Centos, or Red Hat based distributions
$su -
# Config Idle Log Out Timeout Interval
You would not want to leave your ssh session unattended, having idle log out timeout is a good idea to do so. Here i set mine at 300 seconds or 5 minutes
ClientAliveInterval 300 ClientAliveCountMax 0
4. Disable .rhosts Files
IgnoreRhosts yes
6. Disable Host-Based Authentication
HostbasedAuthentication no
7. Disable root Login via SSH
As I mentioned before, you dont want to login with your root account. Besind deny user root, you should also disallow it.
PermitRootLogin no
8. Having a Warning Banner
This is not really effective to against somebody want to break in your ssh server, but it’s cool to have one and sort of legal warning.
Banner /etc/ssh_banner
Sample warning banner /etc/ssh_banner
************************************************
NOTICE TO USERS WARNING!
The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law. All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no expectation of privacy.*************************************************
8. Change SSH server port
After **deny and disallow root login** at number 3. and 7., I belive changing ssh server port to a non-standard port is the **second most important** effective way to prevent break in ssh server. I **belive** (I might be wrong) anything between port 1024 to 65535 is safe to use.
Port 10000
9. Disable Empty Passwords
You don’t want anyone to login to your ssh server with an empty password
PermitEmptyPasswords no
