Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.
One of the first security holes you should close on a new linux server is to secure the ssh login. There are three steps I follow to accomplish this.
Warning 1: These steps alone are not enough to secure your server, they only make attacking it slightly more difficult.
Warning 2: Altering your ssh service can cause it to stop functioning. Only change the ssh configuration if you have console access to the machine to fix anything that goes wrong.
Step 1: Disable Root Login over SSH
Our first step is to block direct login as root over ssh. This forces users to login as a non root user then 'su' into the root level priviledge. This adds an extra layer of security as any cracker who does manage to brute force your user password must then crack the root password.
To disable the root login over ssh we edit the 'sshd_config' file located at '/etc/ssh/sshd_config'. Locate the and uncomment the line 'PermitRootLogin yes' and change the value to 'no'.
//uncomment this line and change to 'no'
Step 2: Change the SSH Listen Port
Most attacks against ssh are done by robots which target port 22 which is a well known port number. By moving your ssh port from the standard port 22 you can block most automated breakin attempts.
To change the list port we again edit the '/etc/ssh/sshd_config' file. Locate the line which contains 'Port 22' and change it to some other unused port number.
//uncomment this line and change to our new ssh port number
On some versions of linux this line will be commented out, this simply means that the system is using the default value which again is port 22 so we simply uncomment the line and change our port number.
Step 3: Disable "Protocol 1"
On most recent linux releases 'Protocol 1' will be disabled by default for ssh. However it is still good practise to check. Open up the sshd_config file and look for the 'Protocol' line. Ensure it is uncommented and reads 'Protocol 2'.
//change this to ensure only Protocol 2 is used
Restart the SSH service
Finally our last step is to restart ssh to put our changes into effect.
Saturday, October 27, 2012 at 8:10:47 AM Coordinated Universal Time
May you continue to secure the daemon :)