The secure shell (SSH) is the basic toolkit that provides remote access to your server to perform maintenance, upgrades, install packages, transfer files, or facilitate whatever action you need to carry out as the administrator in a secure environment.
With a few rudimentary configuration changes you can deny root access, add a welcome banner, and protect your server from unwanted guests. Here we use the OpenSSH version.
Once installed first back up the config file after logging in as root.
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Open up the sshd configuration file for editing
# sudo vi /etc/ssh/sshd_config
First adjust the time allowed to log in, scroll down to the line
Change the line to
A few lines further down to the line that reads
Change it to
Next find the following two lines
And change them to
Uncomment the following lines
Now save and close the sshd_config file before opening the following to create the welcome banner.
# vi /etc/motd
Add the banner to the file, an example could be
This computer system is for authorized users only. All activity
is logged and regularly checked. Individuals using this system
without authority or in excess of their authority are subject to
having all their services revoked...
Save and close the file and restart the sshd daemon
# service sshd restart
You can open up a new ssh session you make sure everything is running fine before closing the first session with
You should now find that root access to the shell is denied and you must log in using a standard user account. The next session should open up with the new login banner.
Keep sessions alive
You can set the idle timeout on the server by making adjustments in the config file.
# vi /etc/ssh/sshd_conf
Scroll down and find the lines
The first line instructs the server to wait 60 seconds after the last input before it sends a packet which requires a response.
The second line sets the number of missed or no response intervals to 5 before it assumes the connection has been dropped.
Set these to your preferred values.
Now find and uncomment the following line
This will tell the SSH server to issue TCPKeepAlive packets to discover if the connection is still valid. Consequently, even if your session times out, this feature will terminate the
current session and prevent it from hanging and becoming a zombie.
Finally restart the server for the settings to take effect
$ sudo service sshd restart
Labels: Centos 6, OpenSSH harden shell environment, RHEL