SSH config for security
Contents
Change ssh port
The default ssh port is 22, but there are too much script tools which scan the default port.
vi /etc/ssh/sshd_config
1
Port 22
service sshd restart
Forbidden login with root
vi /etc/ssh/sshd_config
1
PermitRootLogin no
service sshd restart
Use ssh connect server without password
ssh-keygen -t rsa -b 4096 -C "some comment" -f ~/path/key
- vi /etc/ssh/sshd_config
1
AuthorizedKeysFile ~/path/key1 ~/path/key2
service sshd restart
- then config the client in your computer which you will connect the server as below:
1 2 3 4 5 6 7 8 9 10 11
# custom comment Host aliasName HostName ip or hostname Port 22 User $username IdentityFile ~/path/key # Keep session alive ServerAliveInterval 60 # reuse ssh established channal ControlMaster auto ControlPath ~/.ssh/session/%h-%C
Now you can try to connect the server in your computer: ssh $aliasName
, if you can connect correctly, now you can forbid the PasswordAuthentication.
Forbidden login with password authentication
Before you forbidden the PasswordAuthentication, you must add ssh key to ensure you can connect server.
vi /etc/ssh/sshd_config
1
PasswordAuthentication no
service sshd restart
- now you can’t connect the server with password.
Just one more thing, if you want to deny some user with ssh login, you can do the following:
vi /etc/ssh/sshd_config
1
DenyUsers $username
service sshd restart
Author Linfeng
LastMod 2023-08-31