securing SSH in 3 easy steps

April 14, 2015

if you don’t want to mess about with keys there are three things you can easily do to secure SSH.

firstly, always, disallow root logins. in /etc/ssh/sshd_config you should have something like this

# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin no
StrictModes yes

secondly install fail2ban. out of the box it’ll have a decent configuration that’ll ban an IP after a certain amount of failed attempts. you can check the logs at /var/log/fail2ban

thirdly, and i think most importantly, let’s change the port that SSH listens on. again, in /etc/ssh/sshd_config, look for the line # What ports, IPs and protocols we listen for and change the port to something more obscure (go for a high port that isn’t used for anything else like port 2984) and restart SSH. make sure your firewall rules are updated to reflect this change too. you will have to log in specifying this new port like ssh [email protected] -p 2984

also if you’re changing the port number that some firewalls will block port 2984 outgoing so you won’t be able to connect. this is the case at my place of work for example. i had to use a VPN tunnel via another server to connect to SSH when it was listening on port 2984

tags: , , ,
posted in linux by col

Follow comments via the RSS Feed | Leave a comment

Leave Your Comment

 
© cloudplasma 2009 - 2016