“Hardening the OpenSSH Server for Password Logins
“This is easy, just changing a few lines in
/etc/ssh/sshd_config:Port 2022 PermitRootLogin no AllowUsers [usernames or groups separated by spaces] ListenAddress 192.168.1.1 ClientAliveInterval 3600“Remember to restart sshd whenever you change the configuration
file. Specifying an alternate port reduces brute-force login
attempts by a lot. Yes, everyone knows that this option is
available, and no, it wouldn’t be very hard to script brute-force
attacks to scan for the open SSH port. But they don’t, and a side
benefit is it cuts down the clutter considerably in your logfiles.
You must select an unused port, which you can find in
/etc/services. Be sure to enter your alternate SSHD port in this
file so you don’t forget.“Never ever permit a root login over the Internet. If you need
root privileges, log in as an ordinary user and then su or sudo
after logging in. (In the next installment in this series I’ll show
you how to restrict sudo to specific commands.)”
Linux Remote Networking over the Internet (part 3)
By
Carla Schroder
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis