![]() In many cases, you will only be logging on to your server from a small number of known, trusted IP addresses. In this step, you will configure an IP allowlist for your OpenSSH server. You can use IP address allowlists to limit the users who are authorized to log in to your server on a per-IP address basis. Step 2 - Implementing an IP Address Allowlist Next, you’ll implement an IP address allowlist to further restrict who can log in to your server. In this step, you completed some general hardening of your OpenSSH server configuration file. Once you’re satisfied with your configuration file, you can reload sshd using systemd to apply the new settings: In the event of a syntax error, there will be an output describing the issue. If your configuration file has a valid syntax, there will be no output. Now validate the syntax of your new configuration by running sshd in test mode with the -t flag: If you are using nano press CTRL+O to save the file and press ENTER when prompted with the file name. Note that this option most likely won’t already be present in the configuration file, so you may need to add it manually. You can now open the configuration file using nano or your favorite text editor to begin implementing the initial hardening measures: This will run OpenSSH server in extended test mode, which will validate the full configuration file and print out the effective configuration values. Next, review the current default OpenSSH configuration options that correspond to the settings in /etc/ssh/sshd_config. ![]() ![]() This will save a backup copy of the file to /etc/ssh/sshd_config.bak. sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.Before continuing it is a good idea create a backup of your existing configuration file so that you can restore it in the unlikely event that something goes wrong.Ĭreate a backup of the file using the following cp command: You will edit the main OpenSSH configuration file in /etc/ssh/sshd_config to set the majority of the hardening options in this tutorial. However, the configuration you’ll use in this step is a general secure configuration that will suit the majority of servers. ![]() The exact hardening configuration that is most suitable for your own server depends heavily on your own threat model and risk threshold. In this first step, you will implement some initial hardening configurations to improve the overall security of your SSH server. Once you have this ready, log in to your server as your non-root user to begin.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |