How to Secure OpenSSH (SSHD) on Linux

OpenSSH is a open source alternative to the proprietary Secure Shell software. It is also the SSH connectivity tools that allows you to remotely login, transfer remote file via scp or sftp. It was created as an open source alternative to the proprietary Secure Shell software. OpenSSH options are controlled through the /etc/ssh/sshd_config file. In order to improve OpenSSH server security, certain default sshd setting need to be change. This post will show you three example to Secure OpenSSH (SSHD) on Linux. This steps has been tested on CentOS 6.3 and may working on CentOS 6.2, CentOS 5.x and Redhat Enterprise Linux 5 (RHEL 5) and Redhat Enterprise Linux 6 (RHEL 6).

1.Change SSH Default Port :

By default ssh runs on port 22. Hacker would need to know the SSH port number in order to access your system. One of the method to improve security is to change the default port to a non-standard port. That would helps to stop brute force attacks.

#Port 22

Uncomment and change to :

Port 2202

2. Disable Root Login (PermitRootLogin) :

Add the following entry to sshd_config to disable root to login to the server directly.

#PermitRootLogin yes

Uncomment and change to :

PermitRootLogin no

3. Listen Specific IP only :

By default ssh will listen on all of the above ip-addresses. If you want users to login only using ip-address 192.168.1.200 and 192.168.1.202, do the following in your sshd_config :

ListenAddress 192.168.1.200
ListenAddress 192.168.1.202

How to Allow and Deny Access for Remote SSH to CentOS 6.2

In this post, i will show on how to allow and deny access for Remote SSH to CentOS server. This post will configure SSH access as follows:
– Only ehowstuff and root has remote SSH access to the machine within ehowstuff.local
– Clients within bloggerbaru.com should NOT have access to ssh on your system

Please note that all systems in that domain are in the 192.168.1.0/255.255.255.0 subnet, and all systems in that subnet are in bloggerbaru.com.

1. Modify ssh_config as below :

[root@centos62 ~]# vi /etc/ssh/sshd_config
AllowUsers ehowstuff root

2. Make sshd auto start on boot and restart sshd service :

[root@centos62 ~]# chkconfig sshd on
[root@centos62 ~]# /etc/init.d/sshd restart

3. Open iptables configuration as below :

[root@centos62 ~]# vi /etc/sysconfig/iptables

4. Append this line on your iptables setting :

-A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

5. Restart the iptables :

[root@centos62 ~]# /etc/init.d/iptables restart