Linux SSH configuration

From JonDonym Wiki
Revision as of 09:51, 11 October 2010 by Kn (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

En2.png De2.png  Main Page | Debian Setup for Mixes

Secure SSH configuration for Linux

Normally, mix servers are placed in a data center and SSH is used to manage these servers. We give a few small notes for SSH configuration.

  • Botnets scan the web for open ssh ports (port 22) and try to get login credentials for standard accounts like root, ftp... It is recommended to use a non-standard ListenPort like 22022.
  • Do not use password login. Create a SSH key and upload the public key to your server. Add your key to the file $HOME/.ssh/authorized_keys of your user account. Disable all password logins for SSH.
  • Disable root login. Log in as normal user and became root by sudo.
  • Disable SSH protocol version 1. It is not secure anymore.
  • Use only one IP address for ListenAddress, if your server got more than one IP address.
  • It is possible to enable sftp for file uploads.

The configuration file for SSH daemon is /etc/ssh/sshd.config. A small example:

Port 22022
Protocol 2
StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile	%h/.ssh/authorized_keys
PermitRootLogin no
PermitEmptyPasswords no
IgnoreRhosts yes
PasswordAuthentication no
HostbasedAuthentication no
ChallengeResponseAuthentication no
X11Forwarding no
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no

You may use firewall rules or fail2ban to block hacking activities on your SSH port.

Personal tools