20 October 2011

Harden SSHD on CentOS

First of all we need to make a regular user, since we are disabling direct root login:

adduser admin && passwd admin

Backup the current sshd_config:

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Create a new sshd_config file:

nano -w /etc/ssh/sshd_config

Paste the following config into the new file but be sure to change the Port to something different:

## Change to other port is recommended, etc 2488
Port 22
 
## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1
 
## Enforcing SSH Protocol 2 only
Protocol 2
 
## Disable direct root login, with no you need to login with admin user, then "su -" you into root
PermitRootLogin no
 
##
UsePrivilegeSeparation yes
 
##
AllowTcpForwarding no
 
## Disables X11Forwarding
X11Forwarding no
 
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
 
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
 
##
HostbasedAuthentication no
 
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. 
RhostsRSAAuthentication no
 
## Adds a login banner that the user can see
#Banner /etc/motd
 
## Enable / Disable sftp server
Subsystem      sftp    /usr/libexec/openssh/sftp-server
 
## Add users that are allowed to log in
AllowUsers admin

Restart the SSHD daemon:

service sshd restart

Start a NEW ssh session to ensure you can connect on the new port. Do not close your current session until you are sure the new config is working.

Notes

trialbybyte posted this

Trial By Byte

Harden SSHD on CentOS

Notes

Elsewhere