This is a short overview of how to secure the SSH server on a fresh Linux system. We will cover the basics of setting up a robust SSH configuration to access and manage the remote machine later on.
Secure the SSH Daemon Configuration File
All the configuration of the SSH server we need to adjust is on the system-wide daemon configuration file “/etc/ssh/sshd_config”
We will back it up first and then edit it:
|
1 2 |
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sudo vi /etc/ssh/sshd_config |
Disable Root Login
Prohibit the Root user from login through SSH
|
1 |
PermitRootLogin no |
Specify Allowed User
It’s a good security practice to limit the use of the Root user. Instead we will use a limited user who we add to the sudoers from login through SSH
|
1 |
AllowUsers user1 user2 |
Set a Login Grace Timeout
The server should not wait for more than 60 seconds after a connection request before disconnecting. Change the LoginGraceTime accordingly:
|
1 |
LoginGraceTime 1m |
Set Maximum Startup Connections
Set up a proper maximum number of concurrent connections to the SSH daemon.
|
1 |
MaxStartups 2 |
Set Idle Timeout Interval
Set a proper idle timeout to avoid an unattended session.
|
1 2 |
ClientAliveInterval 300 ClientAliveCountMax 0 |
Disable Forwarding
|
1 |
X11Forwarding no |