Powered by GitBook

CentOS 6 Setup Guide

SSH

Enabling key-based authentication

Using a password to authenticate on the remote server is dangerous and should be prevented. Make sure you have a local RSA key pair and configure the server to accept connections from it.

ssh-copy-id -i ~/.ssh/{{your_key_file}} root@{{hostname}}

Afterwards the root user's password should be deleted and locked so only key-based authentication is possible:

passwd -d root
passwd -l root

Securing sshd

sshd is the server daemon from OpenSSH package that accepts incoming SSH connections. The default configuration can be tweaked for further security:

nano /etc/ssh/sshd_config

PermitRootLogin without-password // only allow key-based auth
MaxAuthTries 3
PasswordAuthentication no
GSSAPIAuthentication no
AllowUsers root                  // only root user is allowed to login via SSH

PrintMotd yes
PrintLastLog yes
Banner /etc/issue.net

For legal issues we display a nice message upon login:

nano /etc/issue.net

###############################################################################
#                                !!! ALERT !!!                                #
#                    You are entering into a secured area!                    #
#                                                                             #
#             Your IP, login time and username has been noted and             #
#                  has been sent to the server administrator!                 #
#                                                                             #
#            This service is restricted to authorized users only.             #
#                  All activities on this system are logged.                  #
#                                                                             #
#             Unauthorized access will be fully investigated and              #
#            reported to the appropriate law enforcement agencies.            #
###############################################################################

and nano /etc/motd:

###############################################################################
#                                   WELCOME                                   #
#                    You are logged into a server owned by                    #
#                         Rackster Internet Services.                         #
#                                                                             #
#                 All connections are monitored and recorded!                 #
#                                                                             #
#          Disconnect IMMEDIATELY if you are not an authorized user!          #
###############################################################################

Another best practise is to change the port sshd is listening on. Me, I do not like to change it. This has many reasons: First, the settings above should be secure enough; Second: If kiddies or hackers try to break into our machine, they might start art port 22. Why not employ that fact to our advantage by strictly filtering incoming connections on that port with OSSEC etc. and completely blacklist the IP? That way we have kind of a Honeypot - and not security through obscurity.