Da ich meinen vServer ja komplett neu aufsetzen muss , nutze ich die Gelegenheit, um hier meine Konfiguration der /etc/ssh/sshd_config zur Sicherung des SSH-Servers aufzuführen. Dazu poste ich hier einfach eine beispielhafte sshd_config mit (englischen) Kommentaren.
# sshd_config by m3adow, created 2013-09-06
# Tested for:
# OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
# Restrict to IPv4. Change to inet6 for IPv6 only. Comment it out or use "any" for no restriction.
AddressFamily inet
# Set AuthorizedKeysFile to standard for visibility.
#AuthorizedKeysFile .ssh/authorized_keys
# Disable ALL authentication methods
# We'll enable those for our loginuser.
ChallengeResponseAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PubKeyAuthentication no
RSAAuthentication no
UsePAM no
# Reduce LoginGraceTime to 60 seconds
LoginGraceTime 60
# Reduce MaxAuthTries to make manual bruteforcing more difficult
MaxSessions 4
# Enable random early drops for unauthenticated connections
MaxStartups 4:60:8
# Configure Logging
LogLevel INFO
SyslogFacility AUTH
# Empty Passwords are bad, mkay? Use Pubkeys for this.
PermitEmptyPasswords no
# Root Login via SSH is bad too.
# If you really want this, use "without-password" to enable root Login with Pubkey only.
PermitRootLogin no
# Change the SSH-Port to prevent a lot of automated Login Tries which clutter up your logfiles.
Port 4711
# Print the last Login.
PrintLastLog yes
# Only use the secure SSH-Protocol 2
Protocol 2
# Enable StrictMode
StrictModes yes
# Since I don't think X11 belongs to a server, there's no use for Forwarding.
X11Forwarding no
# Only use Ciphers and MACs which are declared safe by the German BSI
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
# No we set up our loginuser "foo" which is the only user allowed to access the server.
Match User foo
# We only want Public Key Authentication since it's the most secure way.
PubKeyAuthentication yes
Die Datei kann natürlich gerne auf anderen Servern genutzt werden. :-)
Ich denke, dass diese config-Datei selbst erklärend ist. Falls ihr aber trotzdem noch Fragen habt, nur zu.