Many people install sshd and then leave it wide open for almost every account on the system without a second thought. Unfortunately this leaves you wide open the second you create that testing account with the password of password that you swear to yourself you will clean up this time.

As everyone should be aware of, creating this account leads to a world of hurt and can cause you nothing but trouble in the long run. Below are a few hints for setting up the SSH daemon to provide some very basic security.

Adding the following three lines to your sshd_config file will help with basic security

PermitRootLogin no
IgnoreRhosts yes
AllowGroups sshusers

The first line PermitRootLogin no. Even if I know your root password and try to ssh to your server and type in the correct password the daemon will automatically reject my attempt with invalid credentials.

The second line IngoreRhosts yes. This option specifies whether the rhosts or shosts files should not be used in authentication. For several reasons you should ignore these files.

The third line AllowGroups sshusers. This option requires a valid user account to be part of a specific group, in this case sshusers. Assuming you have the accounts user1 & user2. User1 account is part of the sshusers group but user2 isn’t. Even if you know the correct password for both accounts you will only be able to login with the user1 account. The user2 account will reject the connection with incorrect credentials.

The third option goes along way in helping secure your server, I can not stress enough that putting every account in this group, or specifying a system wide group isn’t going to help squat, you should always limit the number of people with remote access.