Here sshd_config is all about server side configuration. The behavior of SSH server written at this file.
In this article I am writing a simple article with few best practices over sshd_config.
Note: For edit that you are doing to sshd_config , you must restart sshd service. Please review my last article about ssh restart.
1. Allow login only with root and deny all other.
This is actually simple. In the terminal type as a root user as menioned below
# touch /etc/nologin
That's it. Then restart sshd service. Now try with normal user and you wont be allowed to login.
2.SSH Protocol switching.
SSH have two versions as Version-1 , Version-2
Version-1 have only feature that user based authentication.Due to this we can only know who is getting login into server but we cant see from which machine or host he is doing this and this machine may be authorized or unauthorized. Due to this its not safe to use Version 1 in real time.
Version-2 overcomes this problem with Version-1 with host-based authentication process and along with user-based authentication process.
First It will take the host Identity and then only it will allow user to login.
You can set your version of SSH with
Protocol 2
3. Disabling direct root login
So first login should be normal user login and then only he can switch into a root user if he know the root password. This is one of the best practice. and to do that open sshd_config file with
# vi /etc/ssh/sshd_config
Find or write a line as
PermitRootLogin no
then save & close, then restart sshd service.
4.Allow only specific users.
Assume we have 100 users in network and you dont want them to login through ssh. You can simply allow particular users to login and deny all other.
Open your configuration file
# vi /etc/ssh/sshd_config
Then write a line as
AllowUsers user1 user2 user3
user1,user2,user3 are usernames.
save ,close. restart sshd service.
5. Deny only specific users.
Same case as above but you want only part of them to deny and allow all others.
# vi /etc/ssh/sshd_config
DenyUsers user1 user2 user3
6.Disconnect Idle ssh sessions after a timeout.
Open your sshd_config file and write the lines as below and it will disconnect the sessions after time out. In the example it is 300 Sec i.e 5 Min.
# vi /etc/ssh/sshd_config
then add
ClientAliveInterval 300
ClinetAliveCountMax 0
save,close & restart sshd service.
7.Display Banner information to all who are trying to connect.
Now make a file with information you want to display , assume I have information made at location /etc/issue. Now I can display the information of at /etc/issue to all by making as below
Open file
# vi /etc/ssh/sshd_config
then add
Banner /etc/issue
save,close and restart sshd service.
8.Port Number change
This is also one of the best security practice. Default SSH port is 22 and attackers first choice will be 22. So we have to change it to something else.
Open configuration file
# vi /etc/ssh/sshd_config
then write a line as
Port 2222
save,close. Now as per configuration file ,ssh default port is 2222 but unless we made changes in IPTables it wont work for remote connections.
# vi /etc/sysconfig/iptables
Then modify the line which have port 22 ,else remove it and add the new line as below.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
then save and close the file and restart iptables with
# service iptables restart
9. Allow only particular IP
This is awesome thing , who ever the attacker he cant do anything unless he is doing from authorized machine network address.
This we can do in 3-ways and we can assume it as 3-level security arrangement.
Method-1 : IPTables , assume you want only 192.168.1.2/24 network only to access your ssh service. Then open your IPtables at server end and type as mentioned below before commit,
-A INPUT -s 192.168.1.2/24 -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
then save,close and restart IPTables with
# service iptables restart
Method 2 : From sshd_config.
Edit configuration file and write as mentioned below.
# vi /etc/ssh/sshd_config
then add line as
ListenAddress 192.168.1.2/24
save,close & restart sshd service.
Method 3: TCPWrappers
If you mentioned IP in at /etc/hosts.allow then for that IP , mentioned service will be allowed and if you mention the same in /etc/hosts.deny then for that IP , mentioned service will be deny.
For example look at below case.
# vi /etc/hosts.allow
then add
sshd : 192.168.1.2/24
save ,close. No need restart. Now only the mentioned IP will be allowed for ssh access.
Now /etc/hosts.deny
# vi /etc/hosts.deny
sshd : 192.168.1.2/24
save,close. Now from this IP all ssh request will be denied.
I will write an article about TCPWrappers soon.
TCPWrappers loading order as first /etc/hosts.allow file and then /etc/hosts.deny file. So make sure about the flow and understand it.
12. Deny Empty password login.
This is not a good habit, login with empty password so do as below in your config file
# vi /etc/ssh/sshd_config
add as
PermitEmptyPasswords no
save,close and restart sshd service.
If you are having any other Information about sshd_config configuration, Please add in comments area and I will add it in main post.
Help helps you.