Let’s get back on ssh, I think this is maybe the third or the fourth article of ssh, one of my favorite tools on a Linux server, and that many times is not used or configured properly.
In this small guide will show you some configuration to make your ssh server a little ‘more secure from the most common attacks.
In particular I will show you the configurations for the server ssh openssh which is more common and used in all Linux distributions, but as a small suggestion, if you are using a VPS and want to save some ‘memory dropbear look also, is a viable alternative to openssh and saves some space in your RAM.
1 – Disable root access
I always thought that the direct connection to the root account is a bad habit, because
- Forwards already know the user name, so they just find out the password
- If your account has violated all your machine is FUBAR
- If more than 1 person administering the car is better to use sudo to keep track of who does things.
So, to disable the direct connection of root to set this option:
2 – Enable only certain users or groups
Probably the car only a few users need access via ssh, if you can just use the directive:
This option may be followed by a list of user names, separated by spaces. If specified, access is allowed only for user names that match one of the names mentioned.
" Can be used as wildcards in names. or if you want to manage access through a group you can use another option:
As above, this option may be followed by a list of group names, separated by spaces. If specified, access is allowed only to users whose primary group or secondary group corresponds to one of the names. “
*” And “
?” Can be used as wildcards in names.
2 These guidelines are very useful because we do not need to worry about the products and during the installation to create a new account, perhaps with a weak password.
3 – Change the standard port
Another safety rule is to change the default port, ie 22, since most of the automated tools perform attacks Brute Force or Dictionary Attacks precisely on this port.
It ‘best to use a port above 1024, because the tools used to scan the first 1024 ports, say for example 2222.
Directive and change it then we put instead of 22 2222:
Now to connect to
tuoserver.com with your ssh client you must specify the port, this is easily done by adding the-p option to the client openssh:
ssh-p 2222 yourserver.com
And that’s all, as you can see these are really 3 simple steps, but will make the server more secure against common attacks.