Hey guys, once again welcome back, tonight I’ll show you a few tricks how to make your SSH server a little more secure and easier to control the access of the users to it. The 2 files we are going to use are /etc/ssh/sshd_config, ssh daemon configuration file, and /etc/init.d/sshd, the service.
We’re going to start by editing /etc/ssh/sshd_config, simply open terminal and type:
sudo nano /etc/ssh/sshd_config
this can be done with Vi too, it’s just what you prefer.
Now we’re going to look for a very important line PermitRootLogin, make sure this is set to NO. This goes the same for PermitEmptyPasswords. It even sais so in the config, NOT RECOMMENDED. Now you CAN, you don’t have too, disable the X11 forward function. X11 is your graphical interface, if this is on, you, and others, are able to control your GUI. Not in a VNC remote desktop kind of way but they can ‘split’ the process from the GUI. For example you can launch cheese real easy and see the webcam on the ssh server from your client. In short if you don’t want this, disable it.
Controlling SSH access.
Since I’ve got a fairly small I don’t have an LDAP (kinda AD, Active Directory in Windows terms). I just don’t want everybody to be able to connect through ssh to my server, (I have a few accounts just for samba, windows share). There is a simple way to only allow people from a surten group to connect, add AllowGroups [GROUP_NAME]. I created the group ssh on my server and add the people to the group by adduser [USERNAME] ssh.
Applying the settings
After you edited the config file the server is still running with the old config and you will need to (re)start the server. To do this open terminal and do: sudo /etc/init.d/sshd restart .
DenyHosts
First up, when your ssh server isn’t connected to the internet, you don’t really need it. Denyhosts is a very nice tool that monitors your log’s of your ssh server, when bot or ‘evil’ people are trying to log in to your server, denyhosts will automatically add them to a ban list. A list of IP addresses of people who aren’t allowed to connect anymore. These will be stored in /etc/hosts.deny. The install is real easy, sudo apt-get install denyhosts and you’re done! The default config is just fine.
summery:
sudo nano /etc/ssh/sshd_config
- PermitRootLogin no
- PermitEmptyPasswords no
- AllowGroups ssh
- X11forwarding no #optional
sudo /etc/init.d/sshd restart
sudo apt-get install denyhosts