Linux SSH configuration
Secure SSH configuration for Linux
Normally, mix servers are placed in a data center and SSH is used to manage these servers. We give a few small notes for SSH configuration.
- Botnets scan the web for open ssh ports (port 22) and try to get login credentials for standard accounts like root, ftp... It is recommended to use a non-standard ListenPort like 22022.
- Do not use password login. Create a SSH key and upload the public key to your server. Add your key to the file $HOME/.ssh/authorized_keys of your user account. Disable all password logins for SSH.
- Disable root login. Log in as normal user and became root by sudo.
- Disable SSH protocol version 1. It is not secure anymore.
- Use only one IP address for ListenAddress, if your server got more than one IP address.
- It is possible to enable sftp for file uploads.
The configuration file for SSH daemon is /etc/ssh/sshd.config. A small example:
ListenAddress 22.214.171.124 Port 22022 Protocol 2 StrictModes yes RSAAuthentication no PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys PermitRootLogin no PermitEmptyPasswords no IgnoreRhosts yes PasswordAuthentication no HostbasedAuthentication no ChallengeResponseAuthentication no X11Forwarding no Subsystem sftp /usr/lib/openssh/sftp-server UsePAM no
You may use firewall rules or fail2ban to block hacking activities on your SSH port.