SSH Security Hardening Notes
SSH is a favorite attack vector among hackers.
To harden ssh and protect against ssh-hacker attempts, make following modifications to sshd_config:
root@gemini:/etc/ssh# cat sshd_config PermitRootLogin no #Port 22 #AddressFamily any #we only allow access from our zonetier-one vpn (IP commented out here for security reasons): ListenAddress 10.****** # Disable password authentication forcing use of keys only to login: PasswordAuthentication no
Then restart sshd.
From then on ssh logins can only be made from inside the Zonetier VPN. And they cannot in any case be done using root, nor with password-entry logins, only with ssh keys.
Users must first of all transfer their ssh keys from their client to the server either using ssh-copy-id if authorized, or alternatively copy-pasting their id_rsa.pub to the authorized_keys file located in their /home/<user>/.ssh directory.
This means non-users do not have any admittance to the server.
In addition to these measures, I also installed and activated fail2ban and reviewed all ports in the ufw /iptables firewalling.