SSH Hardening

Here is some code that will add some security to your /etc/sshd_config file:

  • Enable X11Forwarding
  • Force Version 2 of the protocol
  • Disable all the usual RHosts garbage
  • Disable root logons
  • Disable the use of empty passwords

Copy the code below to a text file and make it executable then run it using the sudo command. Remember to restart your SSH service after the changes have been made.


#!/bin/sh
SSH_DIR=/etc/ssh
# unalias cp rm mv
cd $SSH_DIR
cp ssh_config ssh_config.tmp
cat $SSH_DIR/ssh_config.tmp | grep -v Protocol | sed ‘$a\\nProtocol 2’
> $SSH_DIR/ssh_config
rm ssh_config.tmp
cp sshd_config sshd_config.tmp
awk ‘/^#? *Protocol/ { print “Protocol 2”; next };
/^#? *X11Forwarding/ \
{ print “X11Forwarding yes”; next };
/^#? *IgnoreRhosts/ \
{ print “IgnoreRhosts yes”; next };
/^#? *RhostsAuthentication/ \
{ print ” RhostsAuthentication no”; next };
/^#? *RhostsRSAAuthentication/ \
{ print “RhostsRSAAuthentication no”; next };
/^#? *HostbasedAuthentication/ \
{ print “HostbasedAuthentication no”; next };
/^#? *PermitRootLogin/ \
{ print “PermitRootLogin no”; next };
/^#? *PermitEmptyPasswords/ \
{ print “PermitEmptyPasswords no”; next };
/^#? *Banner/ \
{ print “Banner /etc/issue.net”; next };
{print}’ sshd_config.tmp > sshd_config
rm sshd_config.tmp