SSH Security

From PrgmrWiki

Changing SSH Port

Login as root

to find your current port run the following command

# cat /etc/ssh/sshd_config | grep Port

and if you would like to change the port open /etc/ssh/sshd_config with your favorite editor and change the Port line. Many users have noted that running ssh on ssl enabled ports works for getting around firewalls

Normal Service Port
https 443
pop3 ssl 993
smtp ssl 465


run the following command to reload ssh daemon

# /etc/init.d/sshd restart

Disable Password Logins

WARNING: if you did not setup your public keys you will have to login via the prgmr console and fix everything manually


To check to see if you have password logins enabled run the following command as root

# cat /etc/ssh/sshd_config | grep PasswordAuthentication

if it returns

PasswordAuthentication no

Then password logins are already disabled, if there is a # at the beginning of the line then you must remove the # before it will take affect

To disable password less files open /etc/ssh/sshd_config with your favorite editor and look for the following

PasswordAuthentication yes 

Change it to

PasswordAuthentication no

if you do not see the PasswordAuthentication you may need to create it

You need to reload the ssh server for the changes to appear

# /etc/init.d/ssh reload

Disable Root Logins

WARNING: if you did not setup a user account and you are only using the root account please make a user account first

To check to see if you have root logins enabled run the following command as root

# cat /etc/ssh/sshd_config | grep PermitRootLogin

if it returns

PermitRootLogin no

Then root logins are already disabled

To disable password less files open /etc/ssh/sshd_config with your favorite editor and look for the following

PermitRootLogin yes 

Change it to

PermitRootLogin no

if you do not see the PasswordAuthentication you may need to create it

You need to reload the ssh server for the changes to appear

/etc/init.d/ssh reload

Using openssh keys

To Generate yourself a set of ssh keys use the following command

# ssh-keygen -t rsa

Definition of passphrase:

A password that comprises a whole phrase

http://en.wiktionary.org/wiki/passphrase

an example passphrase could be

my cat likes to eat flys

now for more security we could replace common letters with numbers

my cat lik35 t0 3at fly5

After you have generated your key you need to upload it to your host, the most common way would be via scp

# scp ~/.ssh/id_rsa.pub username@example.com:~

Now login to your server and run the following commands

# mkdir .ssh
# cat id_rsa.pub >> .ssh/authorized_keys
# rm id_rsa.pub