Script automatically configure SSH security

Share this post to your friends !

Script automatically configure SSH security
5 (100%) 1 vote[s]

WriteBash - Script automatically configure SSH security. For Linux server administrators, SSH protection is an important thing.

There have been many articles talk about what to configure to protect SSH connections for your server.

In this article, I will give you a simple script to do that faster.

Script automatically configures ssh security in CentOS

This script I wrote and used in CentOS 6 and CentOS 7. I’m sure it works well.

There are 2 things you need to do before running this script.

Create a regular user

You have to create a regular user, be a non-root user or non-sudo. This user does not have any administrator role, it is simply for you to use ssh on the server.

# useradd youruser

And set password for this user.

# passwd youruser

Find your public IP

Second, find have to your public IP. You can use this website to know your public IP.

You need a static public IP to do this. If your internet router is using dynamic public IP then you can ignore this.

Copy script and execute it

script-automatically-configure-ssh-security Script automatically configure SSH security
Script automatically configure ssh security.

Next, copy the script contents below to your server. Remember to edit the 2 places I wrote.

#!/bin/bash
#
# Script by: Danie Pham
# Script date: 04-06-2019
# Script version: 1.0
# Script use: use to configure ssh security faster
# Remmeber to edit NOTE 1 & 2 in this script

# Function configure ssh
f_config_ssh () {
	# Disable X11 Forwarding in Linux server
	sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config

	# Set MaxAuthTries to 1
	sed -i 's/#MaxAuthTries 6/MaxAuthTries 1/g' /etc/ssh/sshd_config

	# Auto disconnect after 5 minutes
	sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 300/g' /etc/ssh/sshd_config
	sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config

	# Config hostbase authentication
	sed -i 's|#IgnoreRhosts yes|IgnoreRhosts yes|g' /etc/ssh/sshd_config
	sed -i 's/#HostbasedAuthentication no/HostbasedAuthentication no/g' /etc/ssh/sshd_config

	# Don't allow empty password
	sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config

	# Don't allow TCP Forwarding -> Prevent hacker use your server like a router or transfer something
	sed -i 's|#AllowTcpForwarding yes|AllowTcpForwarding no|g' /etc/ssh/sshd_config

	sed -i 's|#UsePrivilegeSeparation yes|UsePrivilegeSeparation yes|g' /etc/ssh/sshd_config
	sed -i 's|#StrictModes yes|StrictModes yes|g' /etc/ssh/sshd_config

	# Config banner for ssh, just optional
	sed -i 's|#Banner none|Banner /etc/ssh/ssh_banner.txt|g' /etc/ssh/sshd_config

	###########################################################
	### NOTE 1: edit youruser and your ip to the line below ###
	###########################################################
	echo "AllowUsers youruser@192.168.10.10 youruser@192.168.10.11" >> /etc/ssh/sshd_config

	##############################################
	### NOTE 2: edit your ip to the line below ###
	##############################################	
	echo "sshd : 192.168.10.10 192.168.10.11" >> /etc/hosts.allow

	echo "sshd : ALL" >> /etc/hosts.deny

	# Change content of banner as you want
	cat > /etc/ssh/ssh_banner.txt <<"EOF"
*****************************************************************
	        PLEASE READ CAREFULLY BELOW !!
	        ------------------------------
    1. Do not stop IPtables service, just edit it if needed.
    2. Do not change SSH configuration if you don't know it.
    3. SSH just allow a few special user, do not change it.

*****************************************************************
	EOF

	# Restart service ssh to apply new configuration
	service sshd restart
}

# Function main
f_main () {
	f_config_ssh
}
f_main

exit

You can download the full script from this link.

Next, type the following command to execute the script. For example, you name this script is secure_ssh.sh.

# bash secure_ssh.sh

Conclusion

And that’s it. I am not saying that this article is enough to protect your server.

It has a lot of techniques: ssh configuration, firewall configuration, fail2ban configuration, … But here, this script only helps you to make ssh configuration faster.

If you liked this article, then please subscribe to our YouTube Channel for more video tutorials. You can also find us on Twitter and Facebook.


Share this post to your friends !
If you appreciate what we share in this blog, you can support us by:
  1. Stay connected to: Facebook | Twitter | Google Plus | YouTube
  2. Subscribe email to recieve new posts from us: Sign up now.
  3. Start your own blog with SSD VPS - Free Let's Encrypt SSL ($2.5/month).
  4. Become a Supporter - Make a contribution via PayPal.
  5. Support us by purchasing Ribbon Lite Child theme being using on this website.

We are thankful for your support.

single post bottom banner
««

Got something to say? Join the discussion

Please keep in mind that all comments are subject to our Comment Policy. Your email address will not be published.
This site uses Akismet to reduce spam. Learn how your comment data is processed.