Server-Side

Installing:

$ sudo yum install openssh*

or

$ sudo apt-get install openssh*

Configure /etc/ssh/sshd_config. Remember that in `/etc/ssh[d]_config the FIRST instance of a setting is the effective one. For example, the bellow configuration only accept SSH key:

Port 222
ChallengeResponseAuthentication no
GSSAPIAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes
RhostsRSAAuthentication no

In the file above you can also allow a welcome banner, which can be edited at /etc/issue.net.

Start the server:

$ sudo /etc/init.d/sshd restart

or

$ service sshd restart

It might be useful to see if the ports are open:

$ nmap localhost -p 22,222
$ sudo ss -tlpn4 | grep sshd

Also, verify whether your SSH daemon is running:

$ ps -A | grep sshd

The command should produce a line like this:

$ <some number> ?        00:00:00 sshd

If there is no line, your SSH daemon is not running. If it is, you should next check that it's listening for incoming connections:

$ sudo ss -lnp | grep sshd

The above command should produce a line that looks like one of this:

$ 0  128  :::22  :::*  users:(("sshd",16893,4))0  128   *:22   *:*  users:(("sshd",16893,3))

Client Side

Create the keys and then connect:

$ ssh-keygen -t rsa
$ ssh-copy-id -i ~/.ssh/thekeyyouset.pub user@host
$ ssh user@ip -p 222

Add the public key to the server ~/.ssh/authorized_keys. Setup the configuration in the client at ~/.ssh/config file.

Security

You can mitigate brute force attack with the follow:

• DenyHosts is a Python based security tool for SSH servers.
• Fail2ban is a similar program that prevents brute force attacks against SSH.
• security/sshguard-pf protects hosts from brute force attacks against ssh and other services using pf.
• security/sshguard-ipfw protects hosts from brute force attacks against ssh and other services using ipfw.
• security/sshguard-ipfilter protects hosts from brute force attacks against ssh and other services using ipfilter.
• security/sshblock blocks abusive SSH login attempts.
• security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
• BlockHosts is an automatic blocking of abusive IP hosts.
• Blacklist geta rid of those bruteforce attempts.
• Brute Force Detection is a modular shell script for parsing application logs and checking for authentication failures.
• IPQ BDB filter may be considered as a fail2ban lite.

Log Audit

Weekly checking the server's logs is important. Depending on the system, they can be at:

• /var/log/apache2/acess.log (Debian)
• /var/log/secure
• /var/log/auth.log(old)/var/log/secure */var/log/audit` (Fedora 20)

You can define your log level by setting LogLevel DEBUG, INFO, VERBOSE in /etc/ssh/ssd_config. If you cannot find the file, try:

$ grep -ir ssh /var/log/*
$ grep -ir breakin /var/log/*
$ grep -ir security /var/log/*

We can manually audit with some Linux commands. For example for a word Windows:
$ cat acess.og | grep Windows
or to just see the last line:
$ tail -n 1 acess.log

Another example is looking for SQL injection attacks, where %27 is URL encoded form of a single quote:

Automated cools are also available, for example Scalp.