$ sudo yum install openssh*
$ sudo apt-get install openssh*
/etc/ssh/sshd_config. Remember that in `
/etc/ssh[d]_config the FIRST instance of a setting is the effective one. For example, the bellow configuration only accept SSH key:
In the file above you can also allow a welcome banner, which can be edited at
Start the server:
$ sudo /etc/init.d/sshd restart
$ service sshd restart
It might be useful to see if the ports are open:
$ nmap localhost -p 22,222
$ sudo ss -tlpn4 | grep sshd
Also, verify whether your SSH daemon is running:
$ ps -A | grep sshd
The command should produce a line like this:
$ <some number> ? 00:00:00 sshd
If there is no line, your SSH daemon is not running. If it is, you should next check that it's listening for incoming connections:
$ sudo ss -lnp | grep sshd
The above command should produce a line that looks like one of this:
$ 0 128 :::22 :::* users:(("sshd",16893,4))0 128 *:22 *:* users:(("sshd",16893,3))
Create the keys and then connect:
$ ssh-keygen -t rsa
$ ssh-copy-id -i ~/.ssh/thekeyyouset.pub user@host
$ ssh user@ip -p 222
Add the public key to the server
~/.ssh/authorized_keys. Setup the configuration in the client at
You can mitigate brute force attack with the follow:
DenyHosts is a Python based security tool for SSH servers.
Fail2ban is a similar program that prevents brute force attacks against SSH.
security/sshguard-pf protects hosts from brute force attacks against ssh and other services using pf.
security/sshguard-ipfw protects hosts from brute force attacks against ssh and other services using ipfw.
security/sshguard-ipfilter protects hosts from brute force attacks against ssh and other services using ipfilter.
security/sshblock blocks abusive SSH login attempts.
security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
BlockHosts is an automatic blocking of abusive IP hosts.
Blacklist geta rid of those bruteforce attempts.
Brute Force Detection is a modular shell script for parsing application logs and checking for authentication failures.
IPQ BDB filter may be considered as a fail2ban lite.
Weekly checking the server's logs is important. Depending on the system, they can be at:
/var/log/audit` (Fedora 20)
You can define your log level by setting LogLevel DEBUG, INFO, VERBOSE in
/etc/ssh/ssd_config. If you cannot find the file, try:
$ grep -ir ssh /var/log/*
$ grep -ir breakin /var/log/*
$ grep -ir security /var/log/*
We can manually audit with some Linux commands. For example for a word Windows:
$ cat acess.og | grep Windows
or to just see the last line:
$ tail -n 1 acess.log
Another example is looking for SQL injection attacks, where %27 is URL encoded form of a single quote:
Automated cools are also available, for example Scalp.