Hardening SSHD



Step 1: First of all we need to make a regular user, since we are disabling direct root login:

adduser admin && passwd admin



Step 2: Backup your current sshd_config

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak



Step 3: Create a new sshd_config file

nano -w /etc/ssh/sshd_config



Step 3.1: Paste this code into the new file

## Change to other port is recommended, etc 2488
Port 22
 
## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1
 
## Enforcing SSH Protocol 2 only
Protocol 2
 
## Disable direct root login, with no you need to login with admin user, then "su -" you into root
PermitRootLogin no
 
##
UsePrivilegeSeparation yes
 
##
AllowTcpForwarding no
 
## Disables X11Forwarding
X11Forwarding no
 
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
 
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
 
##
HostbasedAuthentication no
 
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. 
RhostsRSAAuthentication no
 
## Adds a login banner that the user can see
Banner /etc/motd
 
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
 
## Add users that are allowed to log in
AllowUsers admin

Control + X to save

Step 4: Verify settings in the sshd_config you created

nano -w /etc/ssh/sshd_config

REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )


Step 5.1: Add text to MOTD Banner file (/etc/motd)

nano -w /etc/motd



Step 5.2: Add this text, or something else of your choice

Private system, please log off.



Step 6: Restart the SSHD Daemon

service sshd restart



Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • email
  • PDF
  • StumbleUpon
  • Technorati
Comment (RSS)  |  Trackback

2 Comments

  1. SSH gymnastics with proxychains | Portable Digital Video Recorder says:
    2010/03/04 at 13:36

    [...] /etc/ssh/sshd_config and set “AllowTCPForwarding to NO”. While your in there make all these changes. Remember that if an attacker has a shell they can install their own forwarders or use netcat so [...]

  2. Marco Carranza says:
    2010/04/11 at 03:49

    Dont forget to put the new user in the group wheel or you will get a message after putting “su -” I had that problem in my centos server that is runing Cpanel/WHM. Im lucky because i was able to do this later via a Cpanel menu.

Leave a Reply