Hey everybody,
I was reading through the SSH commands and I thought a small guide on setting up some basic security around the openSSH daemon might be good post.
First of all, this is by no means a complete guide to SSH security, just a few suggestions that will take care of some basic exploits, and prevent a majority of them as well. Looking over the man pages for sshd_config is still a great idea.
These three points are just the easiest ways to eliminate the greatest number of possible attack points.
1. Disable root login
Can't stress this one enough. Always use su or sudo to execute commands as root from your normal account. How to do it: in your openSSH config file (usually /etc/ssh/sshd_config, or just /etc/sshd_config) change the line "PermitRootLogin yes" to "PermitRootLogin no". As you can see, it's not very hard to change the config files.
2. Only allow your username to login
This is kind of a follow up to the first. You may have to add this line, but the command is "AllowUsers username", where "username" is the username you want to be able to login via SSH.
3. Change The SSH Listening Port
Changing the port that the daemon listens to for incoming connections will enable you to avoid a slew of attacks. A lot of people use 2222, which means you should find another port to change it to. This is done through the "Port" line, and by default it is set to 22.
By changing it, you avoid being recognized by port scanning software that checks for common ports. Just make sure the port isn't being used by something else before you change it.
I was reading through the SSH commands and I thought a small guide on setting up some basic security around the openSSH daemon might be good post.
First of all, this is by no means a complete guide to SSH security, just a few suggestions that will take care of some basic exploits, and prevent a majority of them as well. Looking over the man pages for sshd_config is still a great idea.
These three points are just the easiest ways to eliminate the greatest number of possible attack points.
1. Disable root login
Can't stress this one enough. Always use su or sudo to execute commands as root from your normal account. How to do it: in your openSSH config file (usually /etc/ssh/sshd_config, or just /etc/sshd_config) change the line "PermitRootLogin yes" to "PermitRootLogin no". As you can see, it's not very hard to change the config files.
2. Only allow your username to login
This is kind of a follow up to the first. You may have to add this line, but the command is "AllowUsers username", where "username" is the username you want to be able to login via SSH.
3. Change The SSH Listening Port
Changing the port that the daemon listens to for incoming connections will enable you to avoid a slew of attacks. A lot of people use 2222, which means you should find another port to change it to. This is done through the "Port" line, and by default it is set to 22.
By changing it, you avoid being recognized by port scanning software that checks for common ports. Just make sure the port isn't being used by something else before you change it.
