Serverwide Configuration
Chapter 5 provided a detailed discussion of sshd and how to configure its runtime behavior. Now let’s determine which configuration options are most important for security.
10.3.1 Disable Other Means of Access
SSH can provide a secure front door into your system, but don’t forget to close the back doors. If your system allows access via the infamous r-commands, disable them. This means:
Remove the file /etc/hosts.equiv, or make it a read-only empty file.
Disable rshd, rlogind, and rexecd by removing or commenting out their lines in the inetd or xinetd configuration file. For example, in /etc/inetd.conf you might do:
# turned off -- don't use! #shell stream tcp nowait root /usr/sbin/in.rshd in.rshdMake sure you restart inetd or xinetd after doing this so that the change takes effect.
Educate users not to create .rhosts files.
You might also consider disabling telnetd and other insecure avenues for logging in, permitting logins only via SSH.
10.3.2 sshd_config for OpenSSH
We’ll now discuss our recommended sshd_config settings for OpenSSH. We have
omitted some keywords that aren’t particularly security-related, such
as PrintMotd, which simply prints a
message after login. For any remaining keywords, use your judgment
based on your system and needs.
10.3.2.1 Choice of protocol
We recommend disabling the SSH-1 protocol altogether:
# OpenSSH
Protocol 210.3.2.2 Important files
Important files containing your host key, PID, and so on, may be located anywhere on the machine’s ...
Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
