SSHD service is used to secure communications between two untrusted hosts over an insecure network or internet.
In this post we are going to setup a new sshd service from scratch and we learn how to harden this service.
Step 1: Install openssh-server
First to install the sshd service, you need to update your repository list. Here I'm using Debian:
Then simply run the following command:
After installation you can check its status with the following command:
Active status shows if the daemon is running or not. If it's not active you can start the sshd service with
sudo systemctl start sshd command.
Step 2: Connect To The SSH Server
To connect to the server first you need to know the IP address of it. Simply run
ip a to get the IP address. Now run this command on the second machine to connect to the SSH server.
Step 3: Hardening The SSH Server
To configure the SSH server, you can either edit the
/etc/ssh/sshd_config file, or create a new file in the
/etc/ssh/sshd_config.d/ directory. Just remember to restart the ssh daemon each time you change anything on the config file with
sudo systemctl restart sshd command.
3.1. Disable Root Login
The first step on hardening the sshd service is to limit the root user's access. Just simply replace this line or add it on the end of the configuration file.
3.2. Filter SSH Users
You can limit the login to a specific group. First create the group and add your desired users to it.
And after that, add this line to the config file:
3.3. Change SSH Server Port
The best way to make your server more secure and prevent lots of bruteforce attacks is to change the ssh default port to something else.
And then you can simply connect to the server by
ssh -p 13202 [user]@[host] command.
3.4. Disable X11 Forwarding
Enabling X11 Forwarding on the host can permit a non-permitted user to secretly open another X11 connection to another remote client during the session and perform malicious activities such as keystroke monitoring. By default this option is enabled, and you can disable it by adding this line:
3.5. Disable User's Login With Empty Password
3.6. Public Key Authentication
First create a key on your local machine.
Then copy the ssh public key to the server. In Linux you can run this command:
In Windows systems you can run this command:
[user] with your username on the server.
Then you can enable login with public key by adding this line to your config file.