Hardening SSH:

SSH by default is secure. Even so, there are a few configuration changes we can make to make it even more secure. Open the /etc/ssh/sshd_config file with your favorite editor, and read on...

First, we don't want to allow root logins. We want to force the user (or ourselves) to login, and then "su" to root if needed.

  Make a copy of the following line (uncomment it) and change the yes to a no.

#PermitRootLogin yes
PermitRootLogin no

SSH2 is more secure than SSH1. By default SSH2 will allow SSH1 logins. If all of your hosts support SSH2 there is no need to allow SSH1 communications.

  Make a copy of the following line (uncomment it) and remove the 1.

#Protocol 2,1
Protocol 2

If you are really paranoid, you can change the port number that SSH communications occur on. Change it to anything other than 22 (that's the port it runs on by default). Before you make any changes here, you'll need to look at the /etc/services file and see which services are defined to run on which port. Find an open port, and then also check on dshield.org to make sure that you are not changing SSH to run on a port that some other well known service or trojan runs on.

Here's an example of a port that a service and some trojans run on: dshield.org - check port 31<
Here's an example of a port that is open: dshield.org - check port 32

Change the port that SSH listens for connections on:

#Port 22
Port XX    (where XX = your new portnumber)

  You are now done editing the /etc/ssh/sshd_config file (save your changes, and quit your editor).

  Note: Do not make any changes to the /etc/services file. This way incoming connections still get directed to port 22 (which will fail - see below).

To initialize the changes, restart sshd:

# /etc/init.d/sshd restart

To log in via SSH on a different port than the default, use the -p option:

$ ssh -p XX hostname

To test your new settings, try:

$ ssh localhost
ssh: connect to host localhost port 22: Connection refused

$ ssh -p XX localhost
username@localhost's password:

Example syntax' for logging into another machine as a different user: (First line is what you type, second line is the server's response; to which you enter the user's password to gain access)

$ ssh -p XX username@servername      (substitute your portnum, username and servername as neccessary)username@servername's password:

$ ssh -p 32 joeuser@my-example-domain.com     (substitute your portnum, username and domainname as neccessary)
joeuser@my-example-domain.com's password:

---
Other: These are the basic steps to make SSH more secure. They should suffice for the average home user. Although, to really make your machine(s) more secure, generating an RSA public/private key pair is really the way to go. The private key stays on the Server (the machine you are connecting to). And, the public key goes on the Client (the machine you are connecting from). Only a Client machine that contains a public key in the $HOME/.ssh/authorized_keys file is allowed to connect to the Server. Use the "ssh-keygen" command to create the RSA key pair. Read the SSH man pages if you are not sure how to do this.