Lead Image © Fotoflash,Fotolia.com

The top three SSH tricks

Security Skills

Article from ADMIN 40/2017

By Ken Hess

Add extra security to your SSH service, securely copy files to and from remote computers, and configure passwordless SSH for automation scripting.

Secure Shell (SSH) is more than a simple remote connectivity protocol. The SSH utility is one of the most versatile tools in your administrative toolbox. You can use SSH to copy files securely, and you can even build it into automation scripts.

Trick 1: Configuring a More Secure SSH

Although SSH is secure in a default installation, you can make some tweaks to provide an even more secure environment. The parameters to change are located in /etc/ssh/sshd_config. The first security change is to deny root user logins by finding the line

PermitRootLogin Yes

and changing the Yes to No.

If you have a limited number of users (fewer than 10), you can use the AllowUsers entry to limit which users can use SSH to connect to the server. Remember to include yourself on the user list, which is space delimited:

AllowUsers bob admin fred joe

If you have more than 10 users or if you choose to manage by groups, create an sshusers or similar group and add users as needed:

$ sudo groupadd --r sshusers
$ sudo usermod --a --G sshusers bob

In sshd_config, use the AllowGroups directive with your group name,

AllowGroups sshusers

and restart the SSH daemon:

$ sudo service ssh restart

For systemd servers, use either of the following commands:

$ sudo systemctl restart sshd
$ sudo systemctl restart ssh

A final change to enhance SSH security on your network is to allow SSH sessions to originate only from a single server, often known as a "jump" server. This change is outside of the SSHD configuration and only involves limiting the allowed IP address through iptables by entering the command