Linux SSH configuration

From JonDonym Wiki
(Difference between revisions)
Jump to: navigation, search
Line 2: Line 2:
 
<iimg>[[Linux SSH configuration]]![[Image:en.png]]</iimg><iimg>[[Linux SSH configuration/de]]![[Image:de.png]]</iimg>
 
<iimg>[[Linux SSH configuration]]![[Image:en.png]]</iimg><iimg>[[Linux SSH configuration/de]]![[Image:de.png]]</iimg>
 
== Secure SSH configuration for Linux ==
 
== Secure SSH configuration for Linux ==
Normally mix servers are placed in a data center and SSH is used to manage the servers. We give a few small notes for SSH configuration.
+
Normally, mix servers are placed in a data center and SSH is used to manage these servers. We give a few small notes for SSH configuration.
  
* Botnets scan the web for open ssh ports (port 22) and try to get login creditials for standard accounts like root, ftp... It is recommended to use a non-standard ListenPort like 22022.
+
* Botnets scan the web for open ssh ports (port 22) and try to get login credentials for standard accounts like root, ftp... It is recommended to use a non-standard ListenPort like 22022.
* Do not use passwort login. Create a SSH key and upload the publich key to your server. Add your key to the file  ''$HOME/.ssh/authorized_keys'' of your user account. Disable all password logins for SSH.
+
* Do not use password login. Create a SSH key and upload the public key to your server. Add your key to the file  ''$HOME/.ssh/authorized_keys'' of your user account. Disable all password logins for SSH.
* Disable root login. Login as normal user and became root by ''sudo''.
+
* Disable root login. Log in as normal user and became root by ''sudo''.
* Disable SSH protokoll version 1. It is not secure anymore.
+
* Disable SSH protocol version 1. It is not secure anymore.
 
* Use only one IP address for ListenAddress, if your server got more than one IP address.
 
* Use only one IP address for ListenAddress, if your server got more than one IP address.
 
* It is possible to enable ''sftp'' for file uploads.  
 
* It is possible to enable ''sftp'' for file uploads.  

Revision as of 11:22, 12 March 2010

File:En.png File:De.png

Secure SSH configuration for Linux

Normally, mix servers are placed in a data center and SSH is used to manage these servers. We give a few small notes for SSH configuration.

  • Botnets scan the web for open ssh ports (port 22) and try to get login credentials for standard accounts like root, ftp... It is recommended to use a non-standard ListenPort like 22022.
  • Do not use password login. Create a SSH key and upload the public key to your server. Add your key to the file $HOME/.ssh/authorized_keys of your user account. Disable all password logins for SSH.
  • Disable root login. Log in as normal user and became root by sudo.
  • Disable SSH protocol version 1. It is not secure anymore.
  • Use only one IP address for ListenAddress, if your server got more than one IP address.
  • It is possible to enable sftp for file uploads.

The configuration file for SSH daemon is /etc/ssh/sshd.config. A small example:

ListenAddress 123.123.123.123
Port 22022
Protocol 2
StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile	%h/.ssh/authorized_keys
PermitRootLogin no
PermitEmptyPasswords no
IgnoreRhosts yes
PasswordAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
X11Forwarding no
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no

You may use firewall rules or fail2ban to block hacking activities on your SSH port.

Personal tools