This quick guide should work with any standard distribution of SSH for Linux or UNIX systems, fisrt we need to enforce that root user cannot login remotely, for that, we need to setup the service to user public-private key pair. We also need to create regula users with its own keys, let’s do that first:

cd ~/.ssh/
ssh-keygen -t rsa -b 2048 -f id_rsa

Running the above command you’ll be requested to input a pharsprase for your private key an confirm it, avoid leaving this blank to really protect your keys!

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

When confirmation succeeds, you’ll get an output similar to the following:

Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
6f:98:44:21:3f:31:22:11:41:fc:6a:92:56:27:9e:71 user@server

You now have two new files in ~/.ssh folder:

id_rsa  (private key)
id_rsa.pub  (public key)

Now add the contents of id_rsa.pub to the file authorized_keys:

cat id_rsa.pub >> ~/.ssh/authorized_keys

Never leave your private key on the server, copy and keep it in a safe place, also make sure permissions are correct:

-rw------- 1 user user  398 2006-11-10 08:20 authorized_keys
-rw------- 1 user user 1743 2006-11-10 08:22 id_rsa

Hardening SSH Service Configuration

We only have to edit one file: /etc/ssh/sshd_config Make sure the following parameters are as shown, if any line is missing, just add it at the end of the file!

Port 4422 # Use any random number here!
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeyFile %h/.ssh/authorized_keys
ChallengeResponseAuthentication no
PasswordAuthentication no

Port When talking about hardening something, always use non standard ports whenever it’s possible!

PermitRootLogin Prevent root user to login thrugh SSH Service.

RSAAuthentication Specifies whether pure RSA authentication is allowed. Use with protocol version 1 only.

PubkeyAuthentication Allow to user to authenticate with its keypair.

AuthorizedKeyFile Location where authorized public keys are stored.

ChallengeResponseAuthentication Option controls support for the “keyboard-interactive” authentication scheme defined in RFC-4256. The “keyboard-interactive” authentication scheme could ask a user any number of multi-facited questions. In practice it often asks only for the user’s password.

PasswordAuthentication Determines your ability to authenticate with a password via SSH.

After applying these changes you can restart your SSH service with something like service sshd restart. Make sure the new configuration works and you are able to connect before closing the current session or you may lose access to your server!

Client connection

With your secret key already in your localhost, first make sure the permissions of the file are correct with chmod 600 ~/.ssh/id_rsa, then you can do:

ssh-keygen –p 4422 -i ~/.ssh/id_rsa user@server_ip

Thanks for reading!

Hardening SSH Service

Hardening SSH Service Configuration #

Client connection #

Hardening SSH Service Configuration

Client connection