[ TechDocsCove ]  TechDocsCove en   ↩︎

# Making SSHD Useless: A Guide to Locking Down SSH

configuration-management   security   server-configuration   system-administration  

translations: [ es/Español ] · [ fr/Français ] · [ de/Deutsch ]

Table of contents

Making SSHD Useless: A Guide to Locking Down SSH

There may come a time when you need to keep the SSH daemon (sshd) installed on a Linux server but ensure it’s virtually inoperative. This guide elaborates on configuring sshd to become non-functional for typical usage scenarios, fulfilling requirements for heightened security, compliance, or simply for an experimental setup.

Purpose Behind Disabling SSHD

The rationale for rendering sshd non-functional ranges from security protocols to educational purposes:

Step-by-Step: Configuring SSHD to Be Non-Functional

Below is a breakdown of each configuration directive to disable sshd functionalities. Paste the following into your terminal:

echo '# SSHD Configuration to Render SSH Useless
PermitRootLogin no                    # Disables root user login for added security.
PasswordAuthentication no             # Turns off password-based login, requiring keys which we also disable.
PubkeyAuthentication no               # Disables public key authentication, ensuring no login methods are available.
ChallengeResponseAuthentication no    # Deactivates challenge-response authentications like OTPs.
UsePAM no                             # Disables Pluggable Authentication Modules, further restricting login methods.
PrintMotd no                          # Prevents the Message of the Day from being printed after login.
AcceptEnv LANG LC_*                   # Specifies which environment variables are accepted, minimizing customization.
Subsystem sftp /bin/false             # Attempts to disable SFTP by assigning an ineffective binary.
AllowTcpForwarding no                 # Prohibits TCP port forwarding, a method for secure data transmission.
X11Forwarding no                      # Turns off X11 forwarding, preventing GUI display forwarding.
PermitEmptyPasswords no               # Ensures that empty passwords are not permitted, a basic security measure.
PermitUserEnvironment no              # Restricts users from setting environment variables via SSH.
AllowAgentForwarding no               # Disables forwarding of authentication agent connections.
PermitTunnel no                       # Disables tunneling, curtailing the setup of secure tunnels.
PermitUserRC no                       # Prevents execution of user-specific configuration files during login.
Port 4592                             # Changes the listening port to an unconventional number for obfuscation.
' | sudo tee /etc/ssh/sshd_config >/dev/null

Implementing these settings makes sshd extremely restrictive, effectively disabling its primary functions.

Applying the Configuration

After configuring, apply the changes by restarting sshd:

sudo systemctl restart sshd

Verifying the Configuration

To ensure the SSH service is now non-functional by design, attempt to initiate an SSH connection:

ssh -p 4592 user@yourserver

Replace user@yourserver with your actual server details. The connection should be unsuccessful, indicating your sshd service is now as restrictive as intended, thereby serving its purpose of being “useless” for standard operations while still being active.


Created on: Aug 3, 2024

Email shareIcon for sharing via email    Reddit shareIcon for sharing via Reddit    X shareIcon for sharing via X    Telegram shareIcon for sharing via Telegram    WhatsApp shareIcon for sharing via WhatsApp    Facebook shareIcon for sharing via Facebook    LinkedIn shareIcon for sharing via LinkedIn


Discover More within this Subject: