Hardening SSHD
Step 1: First of all we need to make a regular user, since we are disabling direct root login:
adduser admin && passwd admin
Step 2: Backup your current sshd_config
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Step 3: Create a new sshd_config file
nano -w /etc/ssh/sshd_config
Step 3.1: Paste this code into the new file
## Change to other port is recommended, etc 2488 Port 22 ## Sets listening address on server. default=0.0.0.0 #ListenAddress 192.168.0.1 ## Enforcing SSH Protocol 2 only Protocol 2 ## Disable direct root login, with no you need to login with admin user, then "su -" you into root PermitRootLogin no ## UsePrivilegeSeparation yes ## AllowTcpForwarding no ## Disables X11Forwarding X11Forwarding no ## Checks users on their home directority and rhosts, that they arent world-writable StrictModes yes ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication IgnoreRhosts yes ## HostbasedAuthentication no ## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. RhostsRSAAuthentication no ## Adds a login banner that the user can see Banner /etc/motd ## Enable / Disable sftp server #Subsystem sftp /usr/libexec/openssh/sftp-server ## Add users that are allowed to log in AllowUsers admin
Control + X to save
Step 4: Verify settings in the sshd_config you created
nano -w /etc/ssh/sshd_config
REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )
Step 5.1: Add text to MOTD Banner file (/etc/motd)
nano -w /etc/motd
Step 5.2: Add this text, or something else of your choice
Private system, please log off.
Step 6: Restart the SSHD Daemon
service sshd restart
Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)
Pingback: SSH gymnastics with proxychains | Portable Digital Video Recorder