From MEPIS Documentation Wiki
You can secure SSH by following these steps:
Allow only specific IP addresses to connect to your computer
Allow only specific remote addresses in the LAN. For example, to all addresses in 192.168.0.x range to connect but nothing else, you would allow access by doing the following: Edit /etc/hosts.allow and add this line:
Then deny everything else in /etc/hosts.deny by adding this line:
If you can't restrict the access from other computers (you need to connect from random computers on different networks) it is highly recommended to install fail2ban. This program bans IPs that cause multiple authentication errors (by adding those IP addresses to /etc/hosts.deny)
Allow only specific users to connect to your computer
Very important! Don't allow root connections. Set in /etc/ssh/sshd_config:
You can also do the following in ssh server to restrict access to specific users, in /etc/ssh/sshd_config add:
Set maximum number of tries
With this option you can set a maximum number of authentication tries, thus eliminating brute force approach, however this makes DOS attacks possible.
Other security enhancements
- Look for Protocol entry and remove 1, thus you'll allow only ssh2 protocol:
- Run sshd on a alternate port, edit /etc/ssh/sshd_config:
Change Port = 22 to an unused port. You need to specify the new port when you connect like this:
ssh hostname -p portnumber
Don't forget to unblock the new port in your firewall configuration.
- Install denyhosts or fail2ban packages, these programs monitor ssh connections and ban IP addresses that try to brute force your account.