« Linux to Linux Key Based SSH «
» Preventing Brute Force Attacks With Fail2ban »

Protect SSH Access With hosts files and a proper sshd_config

Related Reading:

  1. Linux to Linux Key Based SSH
  2. Preventing Brute Force Attacks With Fail2ban

To cover a few more loose ends on the access to the ssh service running on your machine I would suggest editing your host files to properly reject connections. In this following tutorial we’re going to cover locking down ssh without installing any extra applications.

hosts.allow

The hosts.allow file is checked before hosts.deny, so make sure the rules don’t conflict.

  1. su (type root password)
  2. cd /etc/
  3. vi hosts.allow (you can substitute vi with any text editor of your choice. ex: kate, gedit, mousepad, nano ) Use sudo for this command if you are using Debian or Ubuntu.

Allowing things should be in the allow-file, like:

sshd: xxx.xxx.xxx.xxx

So enter the above line into your hosts.allow file. the xxx ip address should be the ip(s) that you are connecting from that should be allowed.

hosts.deny

  1. vi hosts.deny
  2. place this line in your hosts.deny file: sshd ALL EXCEPT xxx.xxx.xxx.xxx

Now on to /etc/ssh/sshd_config

  1. vi ssh_config
  2. Make sure the following linses are uncommented and have the appropriate values
    • RSAAuthentication yes
    • Protocol 2 (make sure it does not specify a “1?)
    • PasswordAuthentication no (do this ONLY if you have set up keys shown here Linux to Linux Key Based SSH)
    • AllowUsers user_name1, username2 (specify which user names are allowed to access the system)
    • PermitRootLogin no

Now restart sshd

/etc/init.d/sshd restart

in ubuntu: sudo /etc/init.d/ssh restart

Related Posts

Tags: ,

This entry is filed under SSH, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.