SSH, Pre/post-Banner,change the default port, allow disallow users, group IPs, and network

Photo by FLY:D on Unsplash

SSH, Pre/post-Banner,change the default port, allow disallow users, group IPs, and network

In this article, we will look at how we can Add Pre, Post banner in ssh ,Disable root user, and others useful settings for securing your Linux Ubuntu

  1. Pre-banner and post-Banner

  2. Disable root user SSH

  3. change the default SSH port in an ubuntu

  4. Allow/Deny Access to selected users and groups

  5. Allow/Deny Selected IP Addresses Or Networks

Pre-banner

A pre-banner is a message or image that is displayed before the login prompt in a system. It can be used to provide information or announcements to users before they log in.

# move to the location of ssh config
cd /etc/ssh
# create a file for pre post banner
vim pre_banner.txt
 ____  ____  ____    ____    __    _  _  _  _  ____  ____ 
(  _ \(  _ \( ___)  (  _ \  /__\  ( \( )( \( )( ___)(  _ \
 )___/ )   / )__)    ) _ < /(__)\  )  (  )  (  )__)  )   /
(__)  (_)\_)(____)  (____/(__)(__)(_)\_)(_)\_)(____)(_)\_)

PS: use this website for generating

https://patorjk.com/software/taag/#p=display&f=Bulbhead&t=Post%20Banner

now let ssh to load this banner we will need to add a line in the sshd_config file

vim sshd_config

we added a line

Banner pre-banner.txt
# restart the SSH service
sudo systemctl restart ssh
# now lets SSH and see

Post-Banner

A post-banner, also known as "message of the day" (motd), is a message or image that is displayed after a user has logged in to a system. It can be used to provide information or announcements to users after they have logged in.

#this file content will be the content for post banner
# insert below content fordemo 
vim /etc/motd
 ____  _____  ___  ____    ____    __    _  _  _  _  ____  ____ 
(  _ \(  _  )/ __)(_  _)  (  _ \  /__\  ( \( )( \( )( ___)(  _ \
 )___/ )(_)( \__ \  )(     ) _ < /(__)\  )  (  )  (  )__)  )   /
(__)  (_____)(___/ (__)   (____/(__)(__)(_)\_)(_)\_)(____)(_)\_)
# restart ssh service again
sudo systemctl restart ssh
# test with ssh again

Conclusion: you can see above the difference between

Both pre-banner and post-banner can be used to inform users of important updates, system maintenance, or security notices. Additionally, it can be used to show motivational quotes, company branding, and other information that the system administrator wants to convey to the users.

Disable root user SSH

By default root user is not allowed to ssh

but if we want to explicitly disable or test by logging in for any reason first you will need to make sure that password for the root user is already set, if not you can set it by following these steps

# switch to root by sudo
sudo su
#setting password for root
passw
#enter-you--new-root-password-and-confirm

Now your root password has been set edit sshd_config file, find PermitRootLogin line to yes

Note: By having the root password set and PermitRootLogin yes line sshd_config file means the root user can SSH (which is not recommended) to the machine

you understand the point, that no means prevent the root user from logging in via SSH.

Change the default SSH port in an ubuntu

For changing the default port (22) of SSH edit the same config file

sudo /etc/ssh/sshd_config

please make sure the port you are about to write is enabled by the firewall if you have enabled the firewall, and also make sure the port is not used by another service

Port 43
#restart the service
sudo systemctl restart ssh
# exit and test by ssh again this time specify the port you 
# define in the sshd_config file in Port line
ssh usama@192.168.1.116 -p 43

Allow/Deny Access to selected users and groups

  1. To allow access to specific users, open the SSH configuration file by running the command "sudo vim /etc/ssh/sshd_config" in the terminal.

  2. Scroll to the end of the file and add the line "AllowUsers user1 user2 user3" (replace "user1 user2 user3" with the actual usernames of the users you want to allow access)

  3. To deny access to specific users, locate the line "DenyUsers" and add the usernames of the users you want to deny access to, separated by spaces.

  4. To allow or deny access to specific groups, locate the line "AllowGroups" or "DenyGroups" respectively and add the names of the groups you want to allow or deny access to, separated by spaces.

#creating user
sudo useradd -m rehman
# set password for rehman
sudo passwd rehman
# locate in the the file /etc/ssh/sshd_config AllowUsers
sudo vim /etc/ssh/sshd_config
# disallow user rehman to ssh

Look Rehman is now unable to ssh because we have added him to DenyUsers in the ssh config file.

similarly, you can use AllowUsers, AllowGroups, DenyGroups.

Allow/Deny Selected IP Addresses Or Networks

for deny access from certain IP or network we could add in /etc/host.allow or /etc/hosts.deny file respectively

In the above file we deny sshd service access from IP address 192.168.1.108,similarly we can allow or deny network by following below example , by below syntax we are allowing or denying all IP address from network 33.33.33.0

for networkk
sshd:33.33.33.0/subnet

Did you find this article valuable?

Support Muhammad Usama by becoming a sponsor. Any amount is appreciated!