Ubuntu – Securing SSH or OpenSSH
Background
Concern that having SSH/OpenSSH running with the default configuration (/etc/ssh/sshd_config) exposes an attack vector increasing the risk of Ubuntu being compromised.
Issue
The more externally available services running on a system, the greater the risk of attracting unwanted visitors. The default configuration of SSH is fairly flexible in order to accommodate most users, but the universal flexibility comes at the cost of security.
Solution
Four important modifications: change the port, use keys rather than passwords, disable password-based authentication, and disable root login. All of these modifications are made in the /etc/ssh/sshd_config file, as outlined below:
- Change the default port from 22 to another port: Port 12345
- Setup ssh keys for user accounts: Great guide
- Disable password-based authentication for all accounts: PasswordAuthentication no
- Disable root login access, or at least restrict root login access to key-based authentication: PermitRootLogin no
Sources
Disabling password-based authentication: http://www.linux.org/threads/how-to-force-ssh-login-via-public-key-authentication.4253/
Setting up ssh keys for user accounts: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2
More options: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
Leave a Reply