Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section General Discussion
  • Search

SSH Hardening

General questions about VestaCP
Post Reply
  • Print view
Advanced search
3 posts • Page 1 of 1
inerd
Posts: 21
Joined: Sun Dec 29, 2013 3:14 am
Contact:
Contact inerd
Website

SSH Hardening
  • Quote

Post by inerd » Sat Aug 30, 2014 10:48 am

Default Config Files and SSH Port:

■ /etc/ssh/sshd_config - OpenSSH server configuration file.
■ /etc/ssh/ssh_config - OpenSSH client configuration file.
■ ~/.ssh/ - Users ssh configuration directory.
■ ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
■ /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
■ SSH default port : TCP 22

1.) Only Use SSH Protocol 2 (All Linux Operating Systems)
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Code: Select all

Protocol 2
2.) Disable root Login via SSH (All Linux Operating Systems)
There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

Code: Select all

PermitRootLogin no
3.) Enable a Warning Banner (CentOS and RHEL Only)

Set a warning banner by updating sshd_config with the following line:

Code: Select all

Banner /etc/issue
Sample /etc/issue file:

Code: Select all

--------------------------------------------------------------------------------------------------------------
You are accessing a Private Server that is provided for authorized use only.
All system actions are being logged. So please follow our system policy 
--------------------------------------------------------------------------------------------------------------
4.) Disable Empty Passwords (All Linux Operating Systems)
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

Code: Select all

PermitEmptyPasswords no
5.) Disable .rhosts Files (All Linux Operating Systems)
Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

Code: Select all

IgnoreRhosts yes
SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.


Remember to restart your SSH Server after making changes :)
Top

Ghillie-up
Posts: 22
Joined: Fri Jun 20, 2014 8:35 am

Re: SSH Hardening
  • Quote

Post by Ghillie-up » Tue Sep 02, 2014 8:42 pm

IPtables? Single source address / range.

Alternative ssh port? Stop brute force bots hammering you.
Top

patstan
Posts: 117
Joined: Wed Jul 30, 2014 10:53 am

Re: SSH Hardening
  • Quote

Post by patstan » Wed Sep 03, 2014 5:24 pm

Copy and paste?

Nice to know the source: http://www.cyberciti.biz/tips/linux-uni ... tices.html
Top


Post Reply
  • Print view

3 posts • Page 1 of 1

Return to “General Discussion”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

cron

Login  •  Register

I forgot my password