1. Using SSH-2 Protocol and disable SSH-1 protocol altogether
Protocol 2
2. Ensure that the HostKey and PidFile are located on a machine's local disk and not over the NFS mount. The default setting should be in the machine local file like those below
HostKey /etc/ssh/ssh_host_key PidFile /var/run/sshd.pid
3. File and directory permissions
The StrictModes value requires users to protect their SSH-related files and directories or else they will not authenticate.The default values is yes
StrictModes yes
4. Enable KeepAlive messages
Keepalive messages are enabled so that the connections to clients that have crashed or unreachable will terminate rather than be an orphaned process which require manual intervention by sysadmin to eliminate it.
Port 22 ListenAddress 0.0.0.0 TcpKeepAlive yes
5. Disable Reverse DNS lookup
UseDNS no
6. Select a shorter grace login time
The default grace login is 2 minute which you might want to change. The value here is 30 seconds
LoginGraceTime 30
7. Authentication
The default setting are fine unless you wish to use Public-Key Authentication and wish to disabled Kerberos, Interactive and GSSAPIAuthentication
PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no RSAAuthentication yes RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no ChallengeResponseAuthentication yes GSSAPIAuthentication no IgnoreRhosts yes
8. Access Control
If you wish to allow only selected users or groups to use ssh, you would like to use
AllowGroups users AllowUsers me_only DenyGroups black_list DenyUsers hacker_idFor more information, see How do I permit specific users SSH access?
9. Securing TCP port forwarding and X forwarding
AllowTcpForwarding yes X11Forwarding yes
No comments:
Post a Comment