Securing SSH Connection

If we think SSH Server default configuration are secure enough, perhaps it just a matter of time before some stranger can connect to our server. Because SSH default configuration can't give you full protection.

There are several ways to secure our SSH Connection. We can use all of it or if we prefer to choose one of it just try, it rather than trust to your SSH default configuration.

1. SSH server for default using port 22. Use other port such port 222, port 333 or other ports. Change the default port in sshd_config.

[email protected]:~$ sudo vi /etc/ssh/sshd_config

# What ports, IPs and protocols we listen for
Port 22

2. Dont allow root login, edit sshd_config again and set 'no' for root login or you can block it.

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

3. We can also use public key authentication to connect to our SSH Server. Make sure  in sshd_config your configuration allow public key authentication.

RSAAuthentication yes
PubkeyAuthentication yes

Then generating public key in client.

In ubuntu :

[email protected]:~$ sudo ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3f:ab:02:93:2b:e2:5f:1e:ab:78:e8:19:c3:62:6d:36

Copy your public key (id_rsa.pub) to your ~/.ssh2 directory on SSH Server.

[email protected]:~$ scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/

Create an authorization file in your ~/.ssh2 directory on SSH Server.

[email protected]:~$ chmod 700 ~/.ssh
[email protected]:~$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
[email protected]:~$ chmod 600 ~/.ssh/authorized_keys
[email protected]:~$ rm ~/id_rsa.pub

Reload SSH service both in client and server (Don't forget to reload your SSH service every time you made any change in sshd_config):

[email protected]:~$ sudo /etc/init.d/ssh reload

Now we should be able to login to SSH Server using public key authentication.


*Note : For Windows client, we can generate public keygen in Cygwin environment or we can create it using PuTTYgen.



Reply

The content of this field is kept private and will not be shown publicly.
If you have a Gravatar account, used to display your avatar.
  • Lines and paragraphs break automatically.

More information about formatting options

This blog uses the CommentLuv Drupal plugin which will try and parse your sites feed and display a link to your last post, please be patient while it tries to find it for you.
CAPTCHA
Jawab pertanyaan ini untuk membedakan apakah anda pengunjung atau spam.
3 + 15 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.