SSH, Pre/post-Banner,change the default port, allow disallow users, group IPs, and network
In this article, we will look at how we can Add Pre, Post banner in ssh ,Disable root user, and others useful settings for securing your Linux Ubuntu
Pre-banner and post-Banner
Disable root user SSH
change the default SSH port in an ubuntu
Allow/Deny Access to selected users and groups
Allow/Deny Selected IP Addresses Or Networks
Pre-banner
A pre-banner is a message or image that is displayed before the login prompt in a system. It can be used to provide information or announcements to users before they log in.
# move to the location of ssh config
cd /etc/ssh
# create a file for pre post banner
vim pre_banner.txt
____ ____ ____ ____ __ _ _ _ _ ____ ____
( _ \( _ \( ___) ( _ \ /__\ ( \( )( \( )( ___)( _ \
)___/ ) / )__) ) _ < /(__)\ ) ( ) ( )__) ) /
(__) (_)\_)(____) (____/(__)(__)(_)\_)(_)\_)(____)(_)\_)
PS: use this website for generating
https://patorjk.com/software/taag/#p=display&f=Bulbhead&t=Post%20Banner
now let ssh to load this banner we will need to add a line in the sshd_config file
vim sshd_config
we added a line
Banner pre-banner.txt
# restart the SSH service
sudo systemctl restart ssh
# now lets SSH and see
Post-Banner
A post-banner, also known as "message of the day" (motd), is a message or image that is displayed after a user has logged in to a system. It can be used to provide information or announcements to users after they have logged in.
#this file content will be the content for post banner
# insert below content fordemo
vim /etc/motd
____ _____ ___ ____ ____ __ _ _ _ _ ____ ____
( _ \( _ )/ __)(_ _) ( _ \ /__\ ( \( )( \( )( ___)( _ \
)___/ )(_)( \__ \ )( ) _ < /(__)\ ) ( ) ( )__) ) /
(__) (_____)(___/ (__) (____/(__)(__)(_)\_)(_)\_)(____)(_)\_)
# restart ssh service again
sudo systemctl restart ssh
# test with ssh again
Conclusion: you can see above the difference between
Both pre-banner and post-banner can be used to inform users of important updates, system maintenance, or security notices. Additionally, it can be used to show motivational quotes, company branding, and other information that the system administrator wants to convey to the users.
Disable root user SSH
By default root user is not allowed to ssh
but if we want to explicitly disable or test by logging in for any reason first you will need to make sure that password for the root user is already set, if not you can set it by following these steps
# switch to root by sudo
sudo su
#setting password for root
passw
#enter-you--new-root-password-and-confirm
Now your root password has been set edit sshd_config file, find PermitRootLogin line to yes
Note: By having the root password set and PermitRootLogin yes line sshd_config file means the root user can SSH (which is not recommended) to the machine
you understand the point, that no means prevent the root user from logging in via SSH.
Change the default SSH port in an ubuntu
For changing the default port (22) of SSH edit the same config file
sudo /etc/ssh/sshd_config
please make sure the port you are about to write is enabled by the firewall if you have enabled the firewall, and also make sure the port is not used by another service
Port 43
#restart the service
sudo systemctl restart ssh
# exit and test by ssh again this time specify the port you
# define in the sshd_config file in Port line
ssh usama@192.168.1.116 -p 43
Allow/Deny Access to selected users and groups
To allow access to specific users, open the SSH configuration file by running the command "sudo vim /etc/ssh/sshd_config" in the terminal.
Scroll to the end of the file and add the line "AllowUsers user1 user2 user3" (replace "user1 user2 user3" with the actual usernames of the users you want to allow access)
To deny access to specific users, locate the line "DenyUsers" and add the usernames of the users you want to deny access to, separated by spaces.
To allow or deny access to specific groups, locate the line "AllowGroups" or "DenyGroups" respectively and add the names of the groups you want to allow or deny access to, separated by spaces.
#creating user
sudo useradd -m rehman
# set password for rehman
sudo passwd rehman
# locate in the the file /etc/ssh/sshd_config AllowUsers
sudo vim /etc/ssh/sshd_config
# disallow user rehman to ssh
Look Rehman is now unable to ssh because we have added him to DenyUsers in the ssh config file.
similarly, you can use AllowUsers, AllowGroups, DenyGroups.
Allow/Deny Selected IP Addresses Or Networks
for deny access from certain IP or network we could add in /etc/host.allow or /etc/hosts.deny file respectively
In the above file we deny sshd service access from IP address 192.168.1.108,similarly we can allow or deny network by following below example , by below syntax we are allowing or denying all IP address from network 33.33.33.0
for networkk
sshd:33.33.33.0/subnet