How Can We Help?

SSH Security Hardening Notes

You are here:
< All Topics

SSH is a favorite attack vector among hackers.


To harden ssh and protect against ssh-hacker attempts, make following modifications to sshd_config:


root@gemini:/etc/ssh# cat sshd_config

PermitRootLogin no

#Port 22
#AddressFamily any

#we only allow access from our zonetier-one vpn  (IP commented out here for security reasons):

ListenAddress 10.******  

# Disable password authentication forcing use of keys only to login:
PasswordAuthentication no

Then restart sshd.


From then on ssh logins can only be made from inside the Zonetier VPN.  And they cannot in any case be done using root, nor with password-entry logins, only with ssh keys.


Users must first of all transfer their ssh keys from their client to the server either using ssh-copy-id if authorized, or alternatively copy-pasting their to the authorized_keys file located in their /home/<user>/.ssh directory.


This means non-users do not have any admittance to the server.


In addition to these measures, I also installed and activated fail2ban and reviewed all ports in the ufw /iptables firewalling.


Table of Contents