SSH Security

From PrgmrWiki

Changing SSH Port

The SSH daemon listens on port 22 by default. To determine which port sshd is currently configured to listen on, you can use the following command to dump the currently loaded configuration and search the output for the port parameter. Note that all of the following commands must be run as the root user.

# sshd -T | grep port

If after careful consideration you decide to change the port on which ssh listens for incoming connections, simply open /etc/ssh/sshd_config with your favorite text editor and change the Port line. It will usually be commented out with the default value of 22.

Many users have noted that running ssh on SSL-enabled ports works for getting around firewalls.

Normal Service Port
https 443
pop3 ssl 993
smtp ssl 465

The following command will restart the ssh daemon process on systems using the init system.

# /etc/init.d/sshd restart

Systems using systemd can use the following command to restart the ssh daemon.

# systemctl restart sshd.service

Note that services supporting the systemd reload command (such as the OpenSSH server daemon) may load updated configurations into memory without any downtime.

# systemctl reload sshd.service

Disable Password Logins

WARNING: if you did not setup your public keys you will have to login via the prgmr console and fix everything manually


To check to see if you have password logins enabled run the following command as root

# cat /etc/ssh/sshd_config | grep PasswordAuthentication

if it returns

PasswordAuthentication no

Then password logins are already disabled, if there is a # at the beginning of the line then you must remove the # before it will take affect

To disable password less files open /etc/ssh/sshd_config with your favorite editor and look for the following

PasswordAuthentication yes 

Change it to

PasswordAuthentication no

if you do not see the PasswordAuthentication you may need to create it

You need to reload the ssh server for the changes to appear

# /etc/init.d/ssh reload

Disable Root Logins

WARNING: if you did not setup a user account and you are only using the root account please make a user account first

To check to see if you have root logins enabled run the following command as root

# cat /etc/ssh/sshd_config | grep PermitRootLogin

if it returns

PermitRootLogin no

Then root logins are already disabled

To disable password less files open /etc/ssh/sshd_config with your favorite editor and look for the following

PermitRootLogin yes 

Change it to

PermitRootLogin no

if you do not see the PasswordAuthentication you may need to create it

You need to reload the ssh server for the changes to appear

/etc/init.d/ssh reload

Using openssh keys

To Generate yourself a set of ssh keys use the following command

# ssh-keygen -t rsa

Definition of passphrase:

A password that comprises a whole phrase

http://en.wiktionary.org/wiki/passphrase

an example passphrase could be

my cat likes to eat flys

now for more security we could replace common letters with numbers

my cat lik35 t0 3at fly5

After you have generated your key you need to upload it to your host, the most common way would be via scp

# scp ~/.ssh/id_rsa.pub username@example.com:~

Now login to your server and run the following commands

# mkdir .ssh
# cat id_rsa.pub >> .ssh/authorized_keys
# rm id_rsa.pub

External Links