Table of Contents
Ubuntu - SSH - Configuring sshd
First, make a backup of your sshd_config file by copying it to your home directory, or by making a read-only copy in /etc/ssh by doing:“
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
Disable logins for the **root** user, only allow login for the core user and disable password based authentication.
permissions: 0600 owner: root:root
- /etc/ssh/sshd_config
# Use most defaults for sshd configuration. UsePrivilegeSeparation sandbox Subsystem sftp internal-sftp PermitRootLogin no AllowUsers core PasswordAuthentication no ChallengeResponseAuthentication no
Changing the sshd port
With socket-activated SSH by default. The configuration for this can be found at /usr/lib/systemd/system/sshd.socket.
- /usr/lib/systemd/system/sshd.socket
[Socket] ListenStream=2222 FreeBind=true Accept=yes
sshd will now listen only on port 2222 on all interfaces when the system is built.
Multiple ListenStream lines can be specified, in which case sshd will listen on all the specified sockets:
- /usr/lib/systemd/system/sshd.socket
[Socket] ListenStream=2222 ListenStream=10.20.30.40:2223 FreeBind=true
sshd will now listen to port 2222 on all configured addresses, and port 2223 on 10.20.30.40.
The complete contents of /etc/systemd/system/sshd.socket would now be:
- /etc/systemd/system/sshd.socket
[Unit] Description=OpenSSH Server Socket Conflicts=sshd.service [Socket] ListenStream=2222 ListenStream=10.20.30.40:2223 FreeBind=true Accept=yes [Install] WantedBy=sockets.target
Activating changes
After the edited file is written to disk, you can activate it without rebooting with:
sudo systemctl daemon-reload
We now see that systemd is listening on the new sockets:
systemctl status sshd.socket
Returns
● sshd.socket - OpenSSH Server Socket Loaded: loaded (/etc/systemd/system/sshd.socket; disabled; vendor preset: disabled) Active: active (listening) since Wed 2015-10-14 21:04:31 UTC; 2min 45s ago Listen: [::]:2222 (Stream) 10.20.30.40:2223 (Stream) Accepted: 1; Connected: 0 ...
And if we attempt to connect to port 22 on our public IP, the connection is rejected, but port 2222 works:
ssh core@[public IP] ssh: connect to host [public IP] port 22: Connection refused $ ssh -p 2222 core@[public IP] Enter passphrase for key '/home/user/.ssh/id_rsa':