sshd¶
Login with your ssh key¶
Copy your public key to the server to allow login with private key.
$ ssh-copy-id <user>@<server>
/etc/ssh/sshd_config¶
Danger
Any time you modify sshd_config(5),
make sure to test the changes before you close the connection to your server.
You should reload the config with systemctl reload sshd
and open a new SSH connection before doing anything else.
Disallow root login and force protocol version 2.
PermitRootLogin no
Protocol 2
If you have copied your private key to the server, you can also disable password login:
PasswordAuthentication no
You may also chose to restrict SSH access to certain users.
AllowUsers aspyct
If your server is internet-facing, it could also be useful to change the SSH port. It won’t save you if your server is really targeted, but most bot scans will skip the port. Just pick any random port above between 1025 and 65535.
Danger
Don’t forget to allow that port in the firewall, otherwise you’ll be locked out of your server for good.
Port 12345
ssh-audit¶
Run ssh-audit to check for other vulnerabilities and recommendations. Keep at it until it’s all green.
Adding the following to sshd_config
should be a good starting point:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
HostKeyAlgorithms rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-ed25519
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com