Configure Hardened SSH Server

You can use the /etc/hosts.allow and /etc/hosts.deny to severely control the the traffic.

For /etc/hosts.deny, you can add the following to blacklist all connections:

Then, for /etc/hosts.allow, you can add each IP address accordingly.

Inside /etc/ssh/sshd_config, you should look out for ListenAddress for specifying the list of acceptable IP addresses. This way, the server rejects all other servers, filtering them out from logging into SSH server.

Another important security action (security by obscurity) is not to use the standard port 22. This way, it introduces some works for attacker to sniff all ports in order to find the actual ones. To change port, edit /etc/ssh/sshd_config and locate port keyword. Then change it to other numbers. Example:

This is brain-dead where root account should not be logged in directly via SSH. To disable said login, edit /etc/ssh/sshd_config and locate PermitRootLogin keyword. Set it to no explicitly.

This is brain-dead where empty password should not be permitted at all. To disable said login, edit /etc/ssh/sshd_config and locate PermitEmptyPasswords keyword. Set it to no explicitly.

This is another brain-dead configuration where SSH should be configured to use Protocol 2 instead of 1 due to security vulnerability. To do that, simply add the following into /etc/ssh/sshd_config:

SSH are used across multiple services. If you do not use them, you should disable them explicitly inside /etc/ssh/sshd_config:

If you need to only permits specific users to connect SSH server, you can set it in /etc/ssh/sshd_config using AllowUsers keyword. Once done, list out all the users you want to allow to connect. Example, for local user alex, ref, user@hoestname:

If you need to only permits specific users to connect SSH server, you can set it in /etc/ssh/sshd_config using AllowUsers keyword. Once done, list out all the users you want to allow to connect. Example, for local user alex, ref, user@hoestname:

If you need to only permits specific user groups to connect SSH server, you can set it in /etc/ssh/sshd_config using AllowGroups keyword. Once done, list out all the users you want to allow to connect. Example, for local group wheel and admin:

If you need to only permits specific user groups to connect SSH server, you can set it in /etc/ssh/sshd_config using DenyGroups keyword. Once done, list out all the users you want to allow to connect. Example, to deny users and visitors:

Password authentication (authorize by user's password) is entirely up to the deployed network. It is okay if every SSH allowed users practice safe inside a local area network, then it's safe to enable it.

If the server is exposed to public, it is always best to disable password authentication instead to prevent getting brute-forced.

To enable/disable password authentication, simple add the following statement into /etc/ssh/sshd_config with yes being enabled, no being disabled:

SSH authentication can be delegated to PAM user authentications. This way, one only manages the user authentication in a single location: PAM. To use PAM, make sure the following is inside /etc/ssh/sshd_config:

In this case, you should only edit /etc/pam.d/ssh to configure the authentication mechanism. For example, to authenticate only the list of users from a file (e.g. /etc/loginusers), you can use pam_listfile or pam_wheel: