Reconfiguring SSH making it stronger

SSH is a great and secure way to log into your linux server, but there are some tips to make it stronger and safer. I’m writing some of these tips working on a Centos/RH 5 or 6 distribution, even if different distros can’t be that different.
You better start disabling root logins, but you first need another user for standard logins, just in case you lock yourself out…. we’re calling it newuser, so open your server’s terminal and write:
su -
to login as root
useradd newuser
then give it a password
passwd newuser
and you’ll be promped for a new password, choose a strong password, at least 8 or better 12 digits with caps, numbers and special characters such as !?/%.
Keep yourself logged in as root and edit the file /etc/ssh/sshd_config using nano or vi:
nano /etc/ssh/sshd_config
locate the code and edit to match as follows:
# Prevent root logins:
PermitRootLogin no

restart your sshd service
service sshd restart
Now your root user cannot remotely login by ssh anymore.
Your ssh connection is now safe, anyone trying to break in should break your newuser password first, then gain root password, even using brute force attacks it will take years if you used a strong password as suggested.

You may want to have some computers logging in as root for scripting or other special services, you can do that by using rsa public keys.
You first need to create a public/private key on the client remotely logging into your server:
so move to your client terminal and login as the user running scripts, then digit:
ssh-keygen -t rsa
you’ll be prompted for a file name and password, if you leave it blank pushing return you’ll not be asked for a password when logging in to the server, it’s ok if you’re running scripts, but i strongly suggest you to choose a password if you’re on mobile devices and you’re not running scripts connecting to your remote server. Leave the filename as default (id_rsa.pub)
Now set permissions on your newly created keys:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa

then move to the user ssh directory:
cd ~/.ssh
And copy your public key to the /root/.ssh/authorized_keys on your remote server (remoteserver).
Since you cannot login as root you have to first copy the public key to your newuser home on the remote server
scp ~/.ssh/id_rsa.pub newuser@remoteserver:/home/newuser/
then login to your remote server as newsuser
ssh newuser@remoteserver
become super user (root)
su -
move to newuser home where the public key file is:
cd /home/newuser/
and copy the public key into the server root’s authorized keys file:
cat id_rsa.pub >> /root/.ssh/authorized_keys
Now delete your public key from the server
rm -f /home/newuser/id_rsa.pub
And set permissions on your authorized keys file:
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

And get rid of any possible SElinux problem:
restorecon -Rv /root/.ssh

Now try to login as root to your remote server and you won’t be promped for any password anymore

You may wish to completely disable remote ssh logins, using only public keys logins. Edit the /etc/ssh/sshd_config fileon remote server as root, find and edit the following line as it is:
# Disable password authentication forcing use of keys
PasswordAuthentication no

Be carefull, you can lock yourself out of the system without any ssh logins, so I suggest you to always have a ssh user login available. You can keep it safe changing passwords and using fail2ban (read more later).

Leave a Reply