Hardening SSHD

E-mail Print PDF


Step 1: First of all we need to make a regular user, since we are disabling direct root login:

adduser admin && passwd admin


Step 2: Backup your currenct sshd.conf

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak


Step 3: Download SecureCentos.com own sshd_config. ( This will overwrite your current config automatic )

wget --output-document=/etc/ssh/sshd_config http://www.securecentos.com/files/sshd/sshd_config


Step 4: Verify settings in the sshd_config you downloaded.

nano -w /etc/ssh/sshd_config


REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )


Step 5.1: Add text to MOTD Banner file (/etc/motd)

nano -w /etc/motd


Step 5.2: Add this text, or something else of your choice

Private system, please log off.


Step 6: Restart the SSHD Daemon

service sshd restart


Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)

Extra layer of security, under development :) Using DSA Keys to authenticate user.

Step 1: Create folders, generate 1024Bits DSA key

mkdir ~/.ssh && chmod 700 ~/.ssh && cd ~/.ssh && ssh-keygen -t dsa -f ~/.ssh/id_dsa

cat id_dsa.pub >> ~/.ssh/authorized_keys && rm -Rf id_dsa.pub && chmod 600 ~/.ssh/*


Its recommended to use PASSPHRASE on your keys, incase someone gets access to your keys.


Step 2 Copy DSA Private key "id_dsa" to your client computer
Step 2.1: Copy file to Windows client

SFTP or FTP it to your computer


Step 2.2: Copy file to Linux client

scp ~/.ssh/id_dsa username@clientcomputer:~/.ssh/id_dsa


Step 2.3: When your done, delete the id_dsa file from server

rm -Rf ~/.ssh/id.dsa



Step 3: How to setup Putty to use the Server Private Key
Step 3.1: Download a program named puttygen to convert openssh keys to puttykeys, HERE
Step 3.2: Use puttygen, Choose Load -> Find openssh Key -> Find File -> Enter Passphrase if needed
Step 3.3: Change Comment field to smart
Step 3.4: Save private Key, etc servername.pkk

Use the tool pageant to list your keys, and putty will use them automatic, download HERE

Troubleshooting:

Some dedicated server companyes have small iptables script running at server initiation, so you may have to run the command "iptables --flush" if you change the sshd port.


Tags See All Tags Add New Tag...

Please Enter New Tags Separated By Comma's
  Or Close

PermitRootLogin  banner  hardening  ssh  sshd  sshdconfig 
Powered By Joomla Tags

Last Updated ( Saturday, 16 August 2008 10:57 )