Part 6: Harden sshd
If you must expose SSH to the internet, these are some of the precautions you may take to secure sshd against attacks.
1) configure sshd
vim /etc/ssh/sshd_config #change port to some obscure port Port 62053 #only allow SSH2: Protocol 2 #do not allow direct root logon: PermitRootLogin no #only allow one unauthenticated session at a time: MaxStartups 2 #allow unauthenticated users to be attached for 1000 seconds (for tarpitting, should be used in conjuction with pam_faildelay.so in /etc/pam.d/sshd) LoginGraceTime 1000 #disallow logons with passwords, only relying on ~/.authorized_keys PasswordAuthentication no #increase key stength: ServerKeyBits 4096 #restrict users and group access: AllowGroups group1 AllowUsers user1 #configure idle session timeouts ClientAliveInterval 120 ClientAliveCountMax 0 #ignore rhost and shosts: IgnoreRhosts yes #disallow forwarding: AllowTcpForwarding no X11Forwarding no #enable strictmode to force sshd to fail if file permissions are incorrect: StrictModes yes
2) Configure PAM to increase the FAILDELAY so that when incorrect creds are used, the prompt to enter another password is longer than the default of ~2 seconds:
#in /etc/pam.d/sshd add the following in the auth section (below the first line): auth optional pam_faildelay.so #in /etc/login.defs for 20 seconds: FAIL_DELAY 20
3) Although this page will grow with time, by no means is this a definitive list. Please perform further research.