Script automatically configure SSH security

by Daniel Pham
Published: Updated:

Script automatically configure SSH security. For Linux server administrators, SSH protection is an important thing.

There have been many articles talk about what to configure to protect SSH connections for your server.

In this article, I will give you a simple script to do that faster.

Script automatically configures ssh security in CentOS

This script I wrote and used in CentOS 6 and CentOS 7. I’m sure it works well.

There are 2 things you need to do before running this script.

Create a regular user

You have to create a regular user, be a non-root user or non-sudo. This user does not have any administrator role, it is simply for you to use ssh on the server.

useradd youruser

And set password for this user.

passwd youruser

Find your public IP

Second, find have to your public IP. You can use this website to know your public IP.

You need a static public IP to do this. If your internet router is using dynamic public IP then you can ignore this.

Copy script and execute it

script automatically configure ssh security
Script automatically configure ssh security.

Next, copy the script contents below to your server. Remember to edit the 2 places I wrote.

#!/bin/bash
#
# Script by: Daniel Pham
# Script date: 04-06-2019
# Script version: 1.0
# Script use: use to configure ssh security faster
# Remmeber to edit NOTE 1 & 2 in this script

# Function configure ssh
f_config_ssh () {
	# Disable X11 Forwarding in Linux server
	sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config

	# Set MaxAuthTries to 1
	sed -i 's/#MaxAuthTries 6/MaxAuthTries 1/g' /etc/ssh/sshd_config

	# Auto disconnect after 5 minutes
	sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config
	sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config

	# Config hostbase authentication
	sed -i 's|#IgnoreRhosts yes|IgnoreRhosts yes|g' /etc/ssh/sshd_config
	sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_config

	# Don't allow empty password
	sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config

	# Don't allow TCP Forwarding -> Prevent hacker use your server like a router or transfer something
	sed -i 's|#AllowTcpForwarding yes|AllowTcpForwarding no|g' /etc/ssh/sshd_config

	sed -i 's|#UsePrivilegeSeparation yes|UsePrivilegeSeparation yes|g' /etc/ssh/sshd_config
	sed -i 's|#StrictModes yes|StrictModes yes|g' /etc/ssh/sshd_config

	# Config banner for ssh, just optional
	sed -i 's|#Banner none|Banner /etc/ssh/ssh_banner.txt|g' /etc/ssh/sshd_config

	###########################################################
	### NOTE 1: edit youruser and your ip to the line below ###
	###########################################################
	echo "AllowUsers [email protected] [email protected]" >> /etc/ssh/sshd_config

	##############################################
	### NOTE 2: edit your ip to the line below ###
	##############################################	
	echo "sshd : 192.168.10.10 192.168.10.11" >> /etc/hosts.allow

	echo "sshd : ALL" >> /etc/hosts.deny

	# Change content of banner as you want
	cat > /etc/ssh/ssh_banner.txt <<"EOF"
*****************************************************************
	        PLEASE READ CAREFULLY BELOW !!
	        ------------------------------
    1. Do not stop IPtables service, just edit it if needed.
    2. Do not change SSH configuration if you don't know it.
    3. SSH just allow a few special user, do not change it.

*****************************************************************
	EOF

	# Restart service ssh to apply new configuration
	service sshd restart
}

# Function main
f_main () {
	f_config_ssh
}
f_main

exit

You can download the full script from this link.

Next, type the following command to execute the script. For example, you name this script is secure_ssh.sh.

bash secure_ssh.sh

Conclusion

And that’s it. I am not saying that this article is enough to protect your server.

It has a lot of techniques: ssh configuration, firewall configuration, fail2ban configuration, … But here, this script only helps you to make ssh configuration faster.

(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).

0 0 votes
Article Rating

You may also like

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

DevOps Lite is a personal blog specializing in technology with main topics about DevOps, DevSecOps, SRE and System Administrator. Articles are shared for free and contributed to the community.

SUPPORT US

FOLLOW US

Subscribe my Newsletter for new blog posts. Stay updated from your inbox!

© 2021-2024 DevOpsLite.com – All rights reserved.

Please write sources “DevOpsLite.com” when using articles from this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

2
0
Would love your thoughts, please comment.x
()
x

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.