Table of Contents
Script automatically configure SSH security. For Linux server administrators, SSH protection is an important thing.
There have been many articles talk about what to configure to protect SSH connections for your server.
In this article, I will give you a simple script to do that faster.
Script automatically configures ssh security in CentOS
This script I wrote and used in CentOS 6 and CentOS 7. I’m sure it works well.
There are 2 things you need to do before running this script.
Create a regular user
You have to create a regular user, be a non-root user or non-sudo. This user does not have any administrator role, it is simply for you to use ssh on the server.
useradd youruserAnd set password for this user.
passwd youruserFind your public IP
Second, find have to your public IP. You can use this website to know your public IP.
You need a static public IP to do this. If your internet router is using dynamic public IP then you can ignore this.
Copy script and execute it
Next, copy the script contents below to your server. Remember to edit the 2 places I wrote.
#!/bin/bash
#
# Script by: Daniel Pham
# Script date: 04-06-2019
# Script version: 1.0
# Script use: use to configure ssh security faster
# Remmeber to edit NOTE 1 & 2 in this script
# Function configure ssh
f_config_ssh () {
# Disable X11 Forwarding in Linux server
sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
# Set MaxAuthTries to 1
sed -i 's/#MaxAuthTries 6/MaxAuthTries 1/g' /etc/ssh/sshd_config
# Auto disconnect after 5 minutes
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config
# Config hostbase authentication
sed -i 's|#IgnoreRhosts yes|IgnoreRhosts yes|g' /etc/ssh/sshd_config
sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_config
# Don't allow empty password
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
# Don't allow TCP Forwarding -> Prevent hacker use your server like a router or transfer something
sed -i 's|#AllowTcpForwarding yes|AllowTcpForwarding no|g' /etc/ssh/sshd_config
sed -i 's|#UsePrivilegeSeparation yes|UsePrivilegeSeparation yes|g' /etc/ssh/sshd_config
sed -i 's|#StrictModes yes|StrictModes yes|g' /etc/ssh/sshd_config
# Config banner for ssh, just optional
sed -i 's|#Banner none|Banner /etc/ssh/ssh_banner.txt|g' /etc/ssh/sshd_config
###########################################################
### NOTE 1: edit youruser and your ip to the line below ###
###########################################################
echo "AllowUsers [email protected] [email protected]" >> /etc/ssh/sshd_config
##############################################
### NOTE 2: edit your ip to the line below ###
##############################################
echo "sshd : 192.168.10.10 192.168.10.11" >> /etc/hosts.allow
echo "sshd : ALL" >> /etc/hosts.deny
# Change content of banner as you want
cat > /etc/ssh/ssh_banner.txt <<"EOF"
*****************************************************************
PLEASE READ CAREFULLY BELOW !!
------------------------------
1. Do not stop IPtables service, just edit it if needed.
2. Do not change SSH configuration if you don't know it.
3. SSH just allow a few special user, do not change it.
*****************************************************************
EOF
# Restart service ssh to apply new configuration
service sshd restart
}
# Function main
f_main () {
f_config_ssh
}
f_main
exitYou can download the full script from this link.
Next, type the following command to execute the script. For example, you name this script is secure_ssh.sh.
bash secure_ssh.shConclusion
And that’s it. I am not saying that this article is enough to protect your server.
It has a lot of techniques: ssh configuration, firewall configuration, fail2ban configuration, … But here, this script only helps you to make ssh configuration faster.
(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).
