SSH file configuration Setting. and Testing
I am Using 2 VM for RHEL 8.x
IP 192.168.122.228 Hostname server.example.com
IP 192.168.122.71 Hostname Client.example.com
1. How to Change ssh Port.
[root@server ~]# vim /etc/ssh/sshd_config ( Change below Line )
#Port 22
to
Port 2022
[root@server ~]# systemctl restart sshd
[root@Client ~]# ssh raju@192.168.122.228
ssh: connect to host 192.168.122.228 port 22: Connection refused
[root@Client ~]# ssh -p 2022 raju@192.168.122.228
raju@192.168.122.228's password:
Last login: Thu Sep 22 10:05:53 2022 from 192.168.122.71
[raju@server ~]$
2. How to Change ssh LogLevel.
The possible values for LogLevel are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
[root@server ~]# vim /etc/ssh/sshd_config ( Change below Line )
#LogLevel INFO
to
LogLevel DEBUG
[root@server ~]# systemctl restart sshd
[root@Client ~]# ssh raju@192.168.122.228
raju@192.168.122.228's password:
Last login: Thu Sep 22 10:05:53 2022 from 192.168.122.71
[raju@server ~]$ sudo su -
[raju@server ~]# tail -f /var/log/secure
Sep 22 10:20:47 server sshd[1267]: debug1: Forked child 1298.
Sep 22 10:20:47 server sshd[1298]: debug1: Set /proc/self/oom_score_adj to 0
Sep 22 10:20:47 server sshd[1298]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Sep 22 10:20:47 server sshd[1298]: debug1: inetd sockets after dupping: 3, 3
Sep 22 10:20:47 server sshd[1298]: Connection from 192.168.122.71 port 52040 on 192.168.122.228 port 2022
Sep 22 10:20:47 server sshd[1298]: debug1: Client protocol version 2.0; client software version OpenSSH_7.4
Sep 22 10:20:47 server sshd[1298]: debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
Sep 22 10:20:47 server sshd[1298]: debug1: Local version string SSH-2.0-OpenSSH_7.4
Sep 22 10:20:47 server sshd[1298]: debug1: Enabling compatibility mode for protocol 2.0
Sep 22 10:20:47 server sshd[1298]: debug1: SELinux support disabled [preauth]
Sep 22 10:20:47 server sshd[1298]: debug1: permanently_set_uid: 74/74 [preauth]
3. How to disable root Login.
[root@server ~]# vim /etc/ssh/sshd_config ( Change below Line )
#PermitRootLogin yes
to
PermitRootLogin no
[root@server ~]# systemctl restart sshd
[root@Client ~]# ssh root@192.168.122.228
root@192.168.122.228's password:
Permission denied, please try again.
4. How to Enable X11 Forwarding in ssh.
[root@server ~]# yum install -y xorg-x11-server-Xorg xorg-x11-xauth xorg-x11-apps
[root@server ~]# vim /etc/ssh/sshd_config ( Change below Line )
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
to
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
[root@server ~]# systemctl restart sshd
[root@Client ~]# ssh raju@192.168.122.228 -X
raju@192.168.122.228's password:
Last login: Thu Sep 22 10:35:23 2022 from 192.168.122.71
/usr/bin/xauth: file /home/raju/.Xauthority does not exist
[raju@server ~]$ xclock
Warning: locale not supported by Xlib, locale set to C
5. How to Enable strong Ciphers in SSH.
[root@server ~]# vim /etc/ssh/sshd_config ( add below Line )
Ciphers aes128-ctr,aes192-ctr,aes256-ctr (For RHEL/Centos 6.x )
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com (For RHEL/Centos 7.x )
Ciphers aes128-ctr,aes192-ctr,aes256-ctr, chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com (For RHEL/Centos 8.x )
[root@server ~]# systemctl restart sshd
6. How to Enable strong MAC algorithms in SSH.
[root@server ~]# vim /etc/ssh/sshd_config ( add below Line )
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com (For RHEL/Centos 6.x )
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com (For RHEL/Centos 7.x )
MACs hmac-sha2-256,hmac-sha2-512 (For RHEL/Centos 8.x )
[root@server ~]# systemctl restart sshd
7. How to Enable strong Key Exchange algorithms in SSH.
[root@server ~]# vim /etc/ssh/sshd_config ( add below Line )
KexAlgorithms diffie-hellman-group-exchange-sha256 (For RHEL/Centos 6.x )
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 (For RHEL/Centos 7.x )
KexAlgorithms diffie-hellman-group-exchange-sha256, curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 (For RHEL/Centos 8.x )
[root@server ~]# systemctl restart sshd
8. How to Add Banner in ssh.
[root@server ~]# vim /etc/ssh/sshd_config ( Change below Line )
#Banner none
to
Banner /etc/issue
[root@server ~]# vim /etc/issue
Authorized uses only. All activity may be monitored and reported
[root@server ~]# systemctl restart sshd
[root@Client ~]# ssh raju@192.168.122.228
Authorized uses only. All activity may be monitored and reported
raju@192.168.122.228's password:
Comments
Post a Comment