It is possible to configure logon or welcome banner in the SSH server with the use of the Banner directive in /etc/ssh/sshd_config file.The Banner directive is only available for SSH protocol version 2 and by default there are no banner configured.

1. Create a banner file.

First you need to create the file that will include your banner for your users. In Debian, the default banner is located in /etc/issue.net file

nano /etc/issue.net

You can put here anything you want or just a welcome message like this:

###############################################################

Welcome to my server!
Disconnect IMMEDIATELY if you are not an authorized user!

###############################################################

2. Configure the /etc/ssh/sshd_config file

Now, add or remove the # from the beginning of the line Banner /etc/issue.net from /etc/ssh/sshd_config file.

nano  /etc/ssh/sshd_config
Banner /etc/issue.net

Restart sshd daemon for the changes to take effect Continue Reading…

5 Steps to Secure your SSH Server

Valic —  February 5, 2013 — 3 Comments

SSH is the standard method for Admin’s to connect to Linux servers securely. But the default install of SSH server way far from perfect and may allow attackers to hack your server. This guide shows you how to secure your SSH server in few steps

1. Use Strong SSH Passwords

Try to make all your passwords more secure by following next rules:

  • Try to use minimum of 8 characters
  • Use upper and lower case letters
  • Also use  numbers in your password
  • special characters like #$&*

You have also a password generator in Linux called pwgen. Install and use it with the following commands:

apt-get install pwgen

pwgen command will generate a list of passwords of 8 characters. You can use the man documents to find more options.

2. Disable SSH root logins Continue Reading…

Using ssh as a socks proxy

Valic —  January 5, 2012 — Leave a comment

Ssh can support forwarding traffic & act as a SOCKS proxy.

This is fantastic for encrypted browsing over unsecured wifi connections. You can setup Firefox, YM or any other SOCKS 5 compliant program to make use of the proxy. After executing the command below ssh will be listening on localhost (127.0.0.1) and you would then point your SOCKS compliant program to this ip and port that you specify below.

The command:

ssh -qTfnN2 -D 8080 -p 22 [email protected]

Explanations:

-q :- be very quite, we are acting only as a tunnel.
-T :- Do not allocate a pseudo tty, we are only acting a tunnel.
-f :- move the ssh process to background, as we don?t want to interact with this ssh session directly.
-N :- Do not execute remote command.
-p :- Port to connect to on the remote host.
-n :- redirect standard input to /dev/null.
-2 :- Forces ssh to try protocol version 2 only.
-D :- Specifies a local “dynamic” application-level port forwarding.This works
by allocating a socket to listen to port on the local side,and whenever a connection
is made to this port, the connection is forwarded over the secure channel, and the application
protocol is then used to determine where to connect to from the remote machine.
Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server.
Only root can forward privileged ports.

Enjoy.

On Debian Squeeze edit the sshd_config file located in /etc/ssh/ :

Change PermitRootLogin from yes/no to “without-password”:

#PermitRootLogin yes
PermitRootLogin without-password

Restart ssh daemon and try to login with root account.

Enjoy.

3 Ways to Secure SSH Server

Valic —  October 7, 2011 — Leave a comment

For Debian Squeeze configuration file is located in /etc/ssh/sshd_config and at the  end of all the changes that will need to restart the server.

1. First step to one more secured ssh server is:

Change the standard port for ssh server

The first  safety rule is to change the default port because the majority of automated tools to perform brute force or dictionary attacks right at this port.

In the sshd_config file change the port directive to anoter port. I recomend to use a port above 1024.

Port 22

Will become:

Port 22222 or some other port

2. The second change is:

Disable root access

Continue Reading…

Page 1 of 212