Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Classic

Securing SSH

I REALLY like secure shell (SSH) for remote access to linux machines. You can do more than just a "telnet" like remote shell with it. (Port forwarding.) However, the default configuraton for the open…

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

I REALLY like secure shell (SSH) for remote access to linux machines. You can do more than just a "telnet" like remote shell with it. (Port forwarding.) However, the default configuraton for the openssh-server is sometimes a bit less tight than I would like. For that reason on a new install, I usually like to make a few changes. I don't know if I've mentioned this before, but I haven't devoted a post JUST to this, so... here we go.


Under mandriva, the config file for the openssh server is at /etc/ssh/sshd_config First off, I like to make sure that just version 2 of the SSH protocol is used. This may break compatiblity with older clients that don't support version 2. In a nutshell, v. 2 is a more secure implemenation
, and in my case, I don't use anything that doesn't support version 2... so... the following gets changed in the sshd_config - protocol 2,1 is commented out and protocol 2 added.

#Protocol 2,1
Protocol 2

Next, I like to make sure that root login is disabled...

PermitRootLogin no

After all, every system has a root user, why make it a bit easier for someone to brute force their way in?

I also like to setup a group called sshusers and limit access to just those that need to remotely get in.

AllowGroups sshusers

This way if I have a lame test account with an equally lame password, it can't be remotely exploited this way (unless I'm dumb enough to add them to sshusers...)

The AllowUsers directive is another way to do this...
AllowUsers user1, user2, user3

These are just a couple steps you can take to tighten up your ssh server setup. For more on SSH usage and configuration you might consult the manual (man) pages, or may I suggest SSH, The Secure Shell: The Definitive Guide