How to secure and optimize SSH login using sshd_config

Written on May 5th, 2010 at 20:28 pm by chia

The increased hacking attempts these days convinced me that password alone won't save my system from the attackers out there. For those of you who think that your system is safe because of some complex password, then think twice, because there is always a chance that a brute force attack from some dedicated server(s) might break it. A good password is a decent start, but its definitely not the end. In this tutorial, I will tell you some ways to make your ssh login more secure by making simple changes to the sshd_config file.

Open sshd_config file

[root]# vim /etc/ssh/sshd_config

Banning the Root Login

Lets start by blocking root user login via ssh.

PermitRootLogin no

Always block access to root user. Since every linux operating system has a root account, an attacker can always make a bruteforce attempt for root login.

Disable User logins with Null passwords

PermitEmptyPasswords no

With this options user can't login to accounts will null passwords. People generally set this option to 'yes' to enable scp and automatic backup. But I strongly recommend to turn it off. If you are looking for a secure automatic backup and scp, you better start playing with some keys . No kidding, with use of ssh keys you can make secure automation of various tasks(which use ssh) possible. This howto should give you a start, ssh login without password.

Changing the Port on which SSH Daemon listens

Port 8383    # or any of your favourite ports

SSH defaults to port 22. But you can change the port on which the ssh deamon will listen for incoming requests. This is an additional security measure.

Generating a new server after some fixed time.

KeyRegenerationInterval 1h

This option signifies how long the server waits before automatically regenerating its key. This is a security measure to prevent decrypting captured sessions.

Check User File/Dir permissions before Login

StrictModes yes

This will check user permissions in home directory and rhosts file before login. This option must be set to yes because sometime user might leave their directory writable for everyone.

I am sure this will help a lot of you.

  • Delicious
  • Digg
  • StumbleUpon
  • Reddit
  • Newsvine
  • Facebook
  • Google
  • Yahoo
  • Technorati

1 Comment

Anon Linuxer (not verified)
May 6th, 2010 03:46 am
StringModes yes should be StrictModes yes? Good info btw

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <img> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <h1> <h2> <h3> <h4> <h5> <h6> <p> <br>
  • Image links with 'rel="lightbox"' in the <a> tag will appear in a Lightbox when clicked on.

  • Search Engines will index and follow ONLY links to allowed domains.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.