[root@rhce-ryanrudolf]# rm -rf / 2> /dev/null

things I break/fix for fun and learning

Apr 10, 2018 - 2 minute read - Comments

Securing SSH Server

Now that I can access my ESXi remotely using ssh tunnel, the next step to do is to secure the ssh server. We don’t want any unauthorized users logging into the ssh server for security reasons.

Several ways to secure / harden ssh that I will implement on my server -

  • change default port

  • disable root logins

  • use whitelist username

To start with, edit the ssh server configuration file -

vi /etc/ssh/sshd_config

Look for Port 22 and uncomment it, and change it to desired port -

Port xxxx

Look for PermitRootLogin and uncomment it, and change it to no -

PermitRootLogin no

And lastly, add line AllowUsers username, change the username to the specific username in the system that can login to ssh remotely -

AllowUsers username

Once all the changes are made, save the config file and restart the sshd service -

systemctl restart sshd

UPDATE1:

Due to SELinux, the sshd won’t restart properly because it is configured other than port 22. Upon checking the logs, it shows access denied. If we set SELinux to permissive then restart sshd, it works OK. It means SELinux is interfering with our configuration. I will do another writeup on how to make it work with SELinux enforcing.

UPDATE2:

Even with SELinux set to permissive and no errors when restarting sshd, I still cannot login to ssh using a different port. It looks like firewall needs to be reconfigured to allow custom port for ssh. I will do another writeup on how to make ssh work with a custom port.

Like this page? Share it!