Differences

This shows you the differences between two versions of the page.

--- ssh:configure_sshd [2016/12/05 12:24] – peter
+++ ssh:configure_sshd [2019/12/04 21:20] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== SSH - Configure sshd ======
-===== Backup the existing configuration file =====
-First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:"
-<code bash>
-sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
-sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
-</code>
-===== Edit the sshd config file =====
-Issue the following command:
-<code bash>
-sudo vi /etc/ssh/sshd_config
-</code>
-===== Restrict SSH to version 2 =====
-…add in this line if not already in the sshd configuration file, otherwise modify it to be:
-<code>
-Protocol 2
-</code>
-<WRAP info>
-SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities.  SSH-1 is obsolete and should be avoided at all cost.
-</WRAP>
-===== Restrict SSH Key Size to 2048 or above =====
-…add in this line if not already in the sshd configuration file, otherwise modify it to be:
-<code>
-ServerKeyBits 2048
-</code>
-<WRAP info>
-This defines the number of bits in the ephemeral protocol version 1 server key.
-**NOTE**: The file /etc/ssh/moduli file contains a list of all keys supported.
-A recommendation is to remove the smaller groups from the /etc/ssh/moduli file on the server.
-When the client asks for a Diffie-Hellman group, sshd searches the moduli file for groups and picks one at random from the set at least as large as what the client requested.  If there are no small (eg 1k, 1.5k) keys, then sshd will always use larger ones.
-</WRAP>
-===== Dont listen to all addresses =====
-Change the following line in the sshd config file from:
-<code>
-ListenAddress 0.0.0.0
-</code>
-to
-<code>
-ListenAddress 192.168.1.2
-</code>
-<WRAP info>
-Allowing connections from only certain IP addresses makes a system a lot more secure.
-</WRAP>
-===== Disable SSH root login =====
-Change the following line in the sshd config file from:
-<code>
-PermitRootLogin yes
-</code>
-to
-<code>
-PermitRootLogin no
-</code>
-<WRAP info>
-By default, the SSH daemon ships with remote root logins enabled.  Normally Ubuntu does not allow direct access to the root user, so this setting is unimportant.  If you have set a password on the root account, this setting can be a potential security risk, and should be disabled.
-It is safer to login as another user and use sudo.
-**NOTE**: Sometimes it is necessary to allow root logins when doing automated tasks such as backups.  To disallow normal logins but allow forced commands, you can use:
-<code>
-PermitRootLogin forced-commands-only
-</code>
-</WRAP>
-===== Disable logins for the **root** user, only allow login for the core user and disable password based authentication. =====
-permissions: 0600
-owner: root:root
-<file bash /etc/ssh/sshd_config>
-# Use most defaults for sshd configuration.
-UsePrivilegeSeparation sandbox
-Subsystem sftp internal-sftp
-PermitRootLogin no
-AllowUsers core
-PasswordAuthentication no
-ChallengeResponseAuthentication no
-</file>