04/25/2014 by h
Configuring SSH on Debian 7
This is a mini guide to configure SSH on a Debian 7 server, I’m currently using Debian 7 x86 on a VPS so this guide can help you setup SSH on your vps, just adapt it to your distro of choice.
If you don’t have Open SSH installed, then you can do it by using apt-get install openssh-server, after you’re done you can check the configuration files located under /etc/ssh/.
There are two important files there, one for the ssh server and another one for the client:
/etc/ssh/ssh_config –> This one is for the client
/etc/ssh/sshd_config –> This is the one we care about, all the setting here apply to our SSH server
This is an example of an sshd_config file
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
# Use these options to restrict which interfaces/protocols sshd will bind to
# HostKeys for protocol version 2
#Privilege Separation is turned on for security
# Lifetime and size of ephemeral version 1 server key
# Don't read the user's ~/.rhosts and ~/.shosts files
# For this to work you will also need host keys in /etc/ssh_known_hosts
# similar for protocol version 2
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
# To enable empty passwords, change to yes (NOT RECOMMENDED)
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
# Change to no to disable tunnelled clear text passwords
# Kerberos options
# GSSAPI options
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
The following lines are the ones I’ve changed to add some extra security.
#Root login is not allow on this server
#We use key files to sign in instead of passwords so we need this line
# Because I use certificates I don't allow Password authentication
# Do not allow X11Forwarding, just in case you use X11 on your system
Just be aware that changing your configuration file with the lines above will require you to have SSH keys for authentication, if you don’t have one then you won’t be able to sign back into your server after restarting the service.
Once you have saved your configuration file you can restart the SSH service
service ssh restart
When I have more time I will be posting about setting up fail2ban to protect your ssh server from brute force attacks, but for now you should have a functioning SSH server.
Got any comments? contactme (a t_) dr0u. c o m