This is an old revision of the document!
Table of Contents
SSH - Configure sshd
Backup the existing configuration file
First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:“
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
Edit the sshd config file
Issue the following command:
sudo vi /etc/ssh/sshd_config
Restrict SSH to version 2
…add in this line if not already in the sshd configuration file, otherwise modify it to be:
Protocol 2
SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost.
Restrict SSH Key Size to 2048 or above
…add in this line if not already in the sshd configuration file, otherwise modify it to be:
ServerKeyBits 2048
This defines the number of bits in the ephemeral protocol version 1 server key.
NOTE: The file /etc/ssh/moduli file contains a list of all keys supported.
A recommendation is to remove the smaller groups from the /etc/ssh/moduli file on the server.
When the client asks for a Diffie-Hellman group, sshd searches the moduli file for groups and picks one at random from the set at least as large as what the client requested. If there are no small (eg 1k, 1.5k) keys, then sshd will always use larger ones.
Dont listen to all addresses
Change the following line in the sshd config file from:
ListenAddress 0.0.0.0
to
ListenAddress 192.168.1.2
Allowing connections from only certain IP addresses makes a system a lot more secure.
Disable SSH root login
Change the following line in the sshd config file from:
PermitRootLogin yes
to
PermitRootLogin no
By default, the SSH daemon ships with remote root logins enabled. Normally Ubuntu does not allow direct access to the root user, so this setting is unimportant. If you have set a password on the root account, this setting can be a potential security risk, and should be disabled. It is safer to login as another user and use sudo.
NOTE: Sometimes it is necessary to allow root logins when doing automated tasks such as backups. To disallow normal logins but allow forced commands, you can use:
PermitRootLogin forced-commands-only
Disable logins for the **root** user, only allow login for the core user and disable password based authentication.
permissions: 0600 owner: root:root
- /etc/ssh/sshd_config
# Use most defaults for sshd configuration. UsePrivilegeSeparation sandbox Subsystem sftp internal-sftp PermitRootLogin no AllowUsers core PasswordAuthentication no ChallengeResponseAuthentication no