3 simple steps to strengthen its own ssh server
Let’s get back on ssh, I think this is maybe the third or the fourth article of ssh, one of my favorite tools on a Linux server, and that many times is not used or configured properly.
In this small guide will show you some configuration to make your ssh server a little ‘more secure from the most common attacks.
In particular I will show you the configurations for the server ssh openssh which is more common and used in all Linux distributions, but as a small suggestion, if you are using a VPS and want to save some ‘memory dropbear look also, is a viable alternative to openssh and saves some space in your RAM.
For Debian and Ubuntu (but also for other distributions) is the configuration file in /etc/ssh/sshd_config and end of all the changes you must restart the ssh daemon.
1 – Disable root access
I always thought that the direct connection to the root account is a bad habit, because
- Forwards already know the user name, so they just find out the password
- If your account has violated all your machine is FUBAR
- If more than 1 person administering the car is better to use sudo to keep track of who does things.
So, to disable the direct connection of root to set this option:
PermitRootLogin no
2 – Enable only certain users or groups
Probably the car only a few users need access via ssh, if you can just use the directive:
AllowUsers username
This option may be followed by a list of user names, separated by spaces. If specified, access is allowed only for user names that match one of the names mentioned. * and ? " Can be used as wildcards in names. or if you want to manage access through a group you can use another option:
AllowGroups groups
As above, this option may be followed by a list of group names, separated by spaces. If specified, access is allowed only to users whose primary group or secondary group corresponds to one of the names. “*” And “?” Can be used as wildcards in names.
2 These guidelines are very useful because we do not need to worry about the products and during the installation to create a new account, perhaps with a weak password.
3 – Change the standard port
Another safety rule is to change the default port, ie 22, since most of the automated tools perform attacks Brute Force or Dictionary Attacks precisely on this port.
It ‘best to use a port above 1024, because the tools used to scan the first 1024 ports, say for example 2222.
Directive and change it then we put instead of 22 2222:
Port 2222
Now to connect to tuoserver.com with your ssh client you must specify the port, this is easily done by adding the-p option to the client openssh:
ssh-p 2222 yourserver.com
Conclusions
And that’s all, as you can see these are really 3 simple steps, but will make the server more secure against common attacks.