https://besterry.com/tags/ssh/Recent content in Ssh on Besterry — Linux & DevOps NotesHugoen-usMon, 01 Apr 2024 00:00:00 +0000https://besterry.com/posts/ssh-hardening/Mon, 01 Apr 2024 00:00:00 +0000https://besterry.com/posts/ssh-hardening/<p>Every public-facing server gets port-scanned within minutes of going online. Default SSH settings are decent but not great. Here is the checklist I run through on every new VPS.</p> <h2 id="disable-password-authentication">Disable password authentication</h2> <p>In /etc/ssh/sshd_config:</p> <pre><code>PasswordAuthentication no PubkeyAuthentication yes ChallengeResponseAuthentication no KbdInteractiveAuthentication no </code></pre> <h2 id="restrict-root-login">Restrict root login</h2> <pre><code>PermitRootLogin prohibit-password </code></pre> <p>This allows root login with key but not password, which is fine for automation. For stricter setups, use no and sudo from an unprivileged user.</p>