Saturday, 16 August 2014

SSH configuration: sshd_config file

In SSH Server , we do have two types of configuration files. They are sshd_config and ssh_config.

Here sshd_config is all about server side configuration. The behavior of SSH server written at this file.

In this article I am writing a simple article with few best practices over sshd_config.

Note: For edit that you are doing to sshd_config , you must restart sshd service. Please review my last article about ssh restart.


1. Allow login only with root and deny all other.

This is actually simple. In the terminal type as a root user as menioned below

# touch /etc/nologin



That's it. Then restart sshd service. Now try with normal user and you wont be allowed to login.

2.SSH Protocol switching.

SSH have two versions as Version-1 , Version-2
Version-1 have only feature that user based authentication.Due to this we can only know who is getting login into server but we cant see from which machine or host he is doing this and this machine may be authorized or unauthorized. Due to this its not safe to use Version 1 in real time.

Version-2 overcomes this problem with Version-1 with host-based authentication process and along with user-based authentication process.

First It will take the host Identity and then only it will allow user to login.

You can set your version of SSH with

Protocol 2

in sshd_config file at line line number 21.

3. Disabling direct root login

So first login should be normal user login and then only he can switch into a root user if he know the root password. This is one of the best practice. and to do that open sshd_config file with

# vi /etc/ssh/sshd_config



Find or write a line as

PermitRootLogin no



then save & close, then restart sshd service.

4.Allow only specific users.

Assume we have 100 users in network and you dont want them to login through ssh. You can simply allow particular users to login and deny all other.

Open your configuration file

# vi /etc/ssh/sshd_config



Then write a line as

AllowUsers user1 user2 user3



user1,user2,user3 are usernames.

save ,close. restart sshd service.

5. Deny only specific users.

Same case as above but you want only part of them to deny and allow all others.

# vi /etc/ssh/sshd_config



DenyUsers user1 user2 user3

6.Disconnect Idle ssh sessions after a timeout.

Open your sshd_config file and write the lines as below and it will disconnect the sessions after time out. In the example it is 300 Sec i.e 5 Min.

# vi /etc/ssh/sshd_config



then add

ClientAliveInterval 300

ClinetAliveCountMax 0


save,close & restart sshd service.

7.Display Banner information to all who are trying to connect.

Now make a file with information you want to display , assume I have information made at location /etc/issue. Now I can display the information of at /etc/issue to all by making as below

Open file

# vi /etc/ssh/sshd_config



then add

Banner /etc/issue



save,close and restart sshd service.

8.Port Number change

This is also one of the best security practice. Default SSH port is 22 and attackers first choice will be 22. So we have to change it to something else.

Open configuration file

# vi /etc/ssh/sshd_config



then write a line as

Port 2222



save,close. Now as per configuration file ,ssh default port is 2222 but unless we made changes in IPTables it wont work for remote connections.

# vi /etc/sysconfig/iptables



Then modify the line which have port 22 ,else remove it and add the new line as below.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT



then save and close the file and restart iptables with

# service iptables restart



9. Allow only particular IP

This is awesome thing , who ever the attacker he cant do anything unless he is doing from authorized machine network address.

This we can do in 3-ways and we can assume it as 3-level security arrangement.

Method-1 : IPTables , assume you want only 192.168.1.2/24 network only to access your ssh service. Then open your IPtables at server end and type as mentioned below before commit,

-A INPUT -s 192.168.1.2/24 -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT




then save,close and restart IPTables with

# service iptables restart



Method 2 : From sshd_config.

Edit configuration file and write as mentioned below.

# vi /etc/ssh/sshd_config



then add line as

ListenAddress 192.168.1.2/24



save,close & restart sshd service.

Method 3: TCPWrappers

If you mentioned IP in at /etc/hosts.allow then for that IP , mentioned service will be allowed and if you mention the same in /etc/hosts.deny then for that IP , mentioned service will be deny.

For example look at below case.

# vi /etc/hosts.allow



then add

sshd : 192.168.1.2/24



save ,close. No need restart. Now only the mentioned IP will be allowed for ssh access.

Now /etc/hosts.deny

# vi /etc/hosts.deny



sshd : 192.168.1.2/24



save,close. Now from this IP all ssh request will be denied.

I will write an article about TCPWrappers soon.


TCPWrappers loading order as first /etc/hosts.allow file and then /etc/hosts.deny file. So make sure about the flow and understand it.

12. Deny Empty password login.

This is not a good habit, login with empty password so do as below in your config file

# vi /etc/ssh/sshd_config



add as

PermitEmptyPasswords no



save,close and restart sshd service.


If you are having any other Information about sshd_config configuration, Please add in comments area and I will add it in main post.

Help helps you.


No comments:

Post a Comment