Tips regarding securing ssh
- Disable SSH protocol 1 unless you need to use clients that are only SSH protocol 1. Note: disable from the config file sshd_config, don't compile over again just for this.
- If you always come from a known list of subnets, then list them in /etc/hosts.allow and set a default deny in /etc/hosts.deny.
- If possible, do not allow root to directly log in. This is set in sshd_config.
- If you need to allow automated processes to log in as root, use public/private keys, and set the source IP address of from where this login is allowed.
- Deny system users in /etc/ssh/sshd_config. Alternatively, enter the users who are allowed to log in by listing them after AllowUsers. Another method to secure this is to create a new group on the system, and only allow users in this group to login to SSH using the AllowGroups deritive. Many distributions come default with an ssh or sshd group. This makes it unnecessary to edit the SSH configuration when adding a new user who needs SSH access - just add the user to the group!
- Always bind SSH to one IP address and don't listen on 0.0.0.0. To do this edit sshd_config(5) file and set ListenAddress to your IP address. For example,
- In sshd_config file set the following options for more secure SSH
LoginGraceTime 1m StrictModes yes MaxAuthTries 2
- Don't listen on port 22 (especially if you're in DMZ). Move SSH to some higher port.