Securing ssh

This page is more of a guide for myself to follow (^:

The first thing I’m going to do is edit the /etc/ssh/sshd_config file to make getting into the server via ssh more difficult for intruders. Here are some of the changes I made to harden my server. Before you start making changes to config files, its good practice to make backups of the default files. In case you really mess up later, its good to have something to revert to. Run

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkp

Now if you need to go back to the default settings, you just need to run

sudo rm /etc/ssh/sshd_config && cp /etc/ssh/sshd_config.bkp /etc/ssh/sshd_config

and the default config file will be restored.

• Disable root login by changing PermitRootLogin yes to PermitRootLogin no
• Add a line that says DenyUsers root
• Add a line that says AllowUsers (your username here)
• Change the ssh port from 22 to something else by adding Port followed by a new port number e.g. 4000

Now that you save the changes to the file you need to restart sshd. Run

sudo systemctl restart sshd

If you have any problems and can’t login again, don’t worry! You can still access your server from the console on your VPS’s control panel. Select your server and click the “console” option. Once there you can login with your server’s username and password and go back to editing your /etc/ssh/sshd_config file. For more tips on hardening ssh check out this tutorial from cyberciti.

Cyberciti tutorial

Note: When you logout and login again you will need to tell ssh what port to connect to instead of the default port 22. Do this with the -p option e.g. ssh -p 4000 user@123.321.222 Another note: to upload your users public keys you will need to allow login with password. Once you have done this you can disable password login and exclusively accept RSA keyfiles.

sshguard

Install sshguard to block brute force ssh attacks. The following applies to a setup using my ufw guide.

sudo apt install sshguard

Edit /etc/ufw/before.rules and add:

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# hand off control for sshd to sshguard
:sshguard - [0:0]
-A ufw-before-input -p tcp --dport 22 -j sshguard

Edit /etc/sshguard/sshguard.conf

sudo systemctl start sshguard

For more about sshguard check the arch wiki