SECURE SSH CONFIGURATION We want to configure our SSH server in a more secure manner. We want to implement a few minor changes to substantially increase the security of our SSH server. NOTE: The following will be conducted on your DNS machine: 1. Connect to your DNS machine (10.X.2.2) 2. Edit your /etc/ssh/sshd_config file (SSH Server Configuration File) NS1-TLDX> sudo nano /etc/ssh/sshd_config Uncomment the "AllowUsers" entry Change the "AllowUsers" entry to include all authorized users AllowUsers root trtiadmin tldadmin Change "PasswordAuthentication yes" to "PasswordAuthentication no" Change "PubkeyAuthentication no" to "PubkeyAuthentication yes" Make sure "PermitEmptyPasswords" is set to "no" 3. Restart your SSH server NS1-TLDX> sudo /etc/init.d/ssh restart 4. Try logging into your NameServer's SSH server with just a password NS1-TLDX> ssh tldadmin@127.0.0.1 ** You should get an error message (Permission denied (publickey).) 5. Try logging into your SSH server with your tldadmin key NS1-TLDX> ssh -i /home/tldadmin/.ssh/tldadmin tldadmin@127.0.0.1 ** This should work ** Note: the password you are prompted for is the IDENTITY KEY password and NOT the account password - but the two passwords are the same... Note: * Do not change the "PermitRootLogin" entry Doing so will make your configuration more secure - but will break our ability to remotely assist you! Other Interesting Settings * "PermitEmptyPasswords" should be set to "no" * "Port" can be any port - you should change this to something other than port 22 to avoid automated SSH attacks * "LoginGraceTime" - you should set this to a short time to close the connection after a short period of time (say 30 seconds) to avoid keeping unproductive connections open. * Restrict "Banner" such that it doesn't provide any identifying information * Set "MaxAuthTries" to a low number (say 3) such that a user gets only three attempts to enter a password before the connection is closed