Configuring and securing sshd

From Linuxintro
Revision as of 19:38, 17 October 2008 by imported>ChrisM (New page: All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in yo...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config.

Disable X11Forwarding

If you do not want to use X11 forwarding, you should disable it altogether by setting

X11Forwarding No

. While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed.

Putting sshd on a non-standard port

This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config:

Port port
ListenAddress 0.0.0.0:port

Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.