Sshd Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 55: Line 55:
<font color=red>TODO: research what the following means:
<font color=red>TODO: research what the following means:


  PermitRootLogin without-password
  <font color=red>PermitRootLogin without-password</font>


</font>
</font>

Revision as of 21:39, 2 July 2017

Internal

Overview

Change the Default Port

Uncomment and/or update the default "Port" value in /etc/ssh/sshd_config:

#Port 22
Port 12345

Change the Default Port on a SELinux System

If SELinux is enable, you have to tell SELinux about the port change:

semanage port -a -t ssh_port_t -p tcp 12345

Also see How to install SELinux semanage.

Update the Firewall Rules

If iptables is enabled, there's a firewall rule that allows ssh access, and it usually mentions the port. You may want to check and change that: Iptables_Command_Line_Tool_Examples#Allow_SSH_Only_From_the_Internal_Network_on_a_Non-Standard_Port

Change the Network Interface to Listen On

ListenAddress 192.168.1.10

Turn Off Client Name DNS Verification

sshd can be configured with a "UseDNS" option, which specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the same IP address. The default is “yes” but in some case this causes the initial connection setup to take a long time, so it is best to turn this verification off:

...
UseDNS no
...

The service needs to be restarted after reconfiguration.

Allow root To Connect with Password

In /etc/ssh/sshd_config:

PermitRootLogin yes

TODO: research what the following means:

PermitRootLogin without-password

Logging Verbosity

By default, sshd logs at INFO level:

LogLevel INFO

Options: DEBUG, DEBUG1, DEBUG2, DEBUG3

Increased log output will be available in /var/log/secure.