Step 1: First of all we need to make a regular user, since we are disabling direct root login:
Code:
adduser admin && passwd admin
Step 2: Backup your current sshd_config
Code:
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Step 3: Create a new sshd_config file
Code:
nano -w /etc/ssh/sshd_config
Step 3.1: Paste this code into the new file
Code:
## Change to other port is recommended, etc 2488
Port 22
## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1
## Enforcing SSH Protocol 2 only
Protocol 2
## Disable direct root login, with no you need to login with admin user, then "su -" you into root
PermitRootLogin no
##
UsePrivilegeSeparation yes
##
AllowTcpForwarding no
## Disables X11Forwarding
X11Forwarding no
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
##
HostbasedAuthentication no
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no
## Adds a login banner that the user can see
Banner /etc/motd
## Enable / Disable sftp server
#Subsystem sftp /usr/libexec/openssh/sftp-server
## Add users that are allowed to log in
AllowUsers admin
Control + X to save
Step 4: Verify settings in the sshd_config you created
Code:
nano -w /etc/ssh/sshd_config
REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )
Step 5.1: Add text to MOTD Banner file (/etc/motd)
Step 5.2: Add this text, or something else of your choice
Code:
Private system, please log off.
Step 6: Restart the SSHD Daemon
Code:
service sshd restart
Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS)
Secure Centos - Hardening SSHD
Linear Mode
