Configuring an OpenSSH server Using Centos 6.4

Install a minimal Centos iso on the server. The following needs to be installed: openssh logwatch fail2ban semanage sendmail Openssh, logwatch and sendmail are easy to install:

yum -y install openssh sendmail

For selinux/semanage:

yum whatprovides /usr/sbin/semanage
yum -y install policycoreutils-python…….
semanage port -a -t ssh_port_t -p tcp 62
semanage port -l | grep ssh  #To make sure ssh is running on port 62

For fail2ban install and configuration go to page For logwatch install and configuration go to page

useradd you
passwd  you 

Generate ssh keys for yourself and test them before proceeding. For ssh key generation go to page

vim /etc/ssh/sshd_config

The following is what the sshd_config file should look like, change it accordingly. I bolded the parts that aren’t commented for easier reading:

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
Port 62
AddressFamily inet        
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10 
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
#PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no 
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no 
# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 300
ClientAliveCountMax 0
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory noned
# no default banner path
Banner /etc/ssh/banner_message
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
AllowUsers tdemers
HostBasedAuthentication no

service sshd restart

Then, you're done!

Some notes on the rationale behind the way I configure the sshd_config file: I set the ClientAliveInterval to 300 (seconds, or 5 minutes) because this machine is used as a portal. There should be no work or anything else done on this machine by any user; 5 minutes is an ample amount of time to ssh into the cluster. The ClientAliveCountMax variable specifies the number of sshd messages that will be sent without receiving any messages back from the client. I set this to 0 because I did not think that this was a necessary thing to enable. I set the IgnoreRhosts to yes because this disables the .rhosts and .shosts files; disables a potential backdoor. The Banner variable specifies where the file is that contains the message you want to have printed when a user attempts to access the server. I set Banner to the file /etc/ssh/banner_message. In this file (that I created) it contains: If you are experiencing problems accessing this server please send an email to: access.bkslab@gmail.com

Feel free to change this message to whatever you feel is appropriate.

Some other notes: In the sshd_config file, AllowUsers trumps AllowGroups. Also, if you have them both defined in the sshd_config file, the users in the AllowUsers line must also be part of the group specified in AllowGroups. I decided to add a group and not specify specific users in the AllowUsers line because it was getting hard to maintain. Here is what I did:

groupadd -r sshUsers   # I used the -r option because this is a system group
usermod -a -G sshUsers username  #This adds the user to the sshUsers group

Then I added in the sshd_config file the following line:

AllowGroups sshUsers

and deleted the line:

AllowUsers

restart sshd

To remove a user from the group:

gpasswd -d username sshUsers

To see a list of all the users in a group:

cat /etc/group | grep sshUsers