Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Securing SSH: disable password authentication

Securing SSH: disable password authentication

Scheduled Pinned Locked Moved Solved Discuss
ssh
7 Posts 3 Posters 765 Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • humptydumptyH Offline
    humptydumptyH Offline
    humptydumpty
    wrote on last edited by joseph
    #1

    The docs don't match what I see in my sshd_config file.

    0ff10e75-729b-4a51-bad5-0240e624be38-image.png

    https://docs.cloudron.io/security/

    Should I uncomment PermitRootLogin prohibit-password ?

    1 Reply Last reply
    1
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by
      #2

      Good to know - https://man.openbsd.org/sshd_config#PermitRootLogin . It seems PermitRootLogin prohibit-password is the default, so you leave it as-is.

      1 Reply Last reply
      0
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        I made a mention of this new setting in the docs now.

        1 Reply Last reply
        0
        • humptydumptyH Offline
          humptydumptyH Offline
          humptydumpty
          wrote on last edited by humptydumpty
          #4

          Follow-up questions/notes:

          • I need to uncomment (remove #) from each line I want to "activate", right?
          • I tried with without sudo but systemctl restart sshd returned something like "ssh_config not found" so I restarted the server instead.

          What I did was remove # from the beginning of the SSH port line and changed 22 to 202. It looks like it's working as I couldn't connect thru port 22 anymore. I'm not sure how to secure the rest. VPS installed Ubuntu images come installed with root by default. For my home servers, I set up my own username/password so the process isn't the same. It would be great if a guide/steps could be mentioned in the docs for us noobs.

          1 Reply Last reply
          0
          • matix131997M Online
            matix131997M Online
            matix131997
            wrote on last edited by matix131997
            #5

            I see you've added another post about it 😄

            If you want good security then set up as below. This is the way I use on all servers and where possible on the provider's external firewall I restrict the port on the VPN IP.

            PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes

            prohibit-password - This they started using from version 22.04 as a new security method.

            KbdInteractiveAuthentication is the newer line that replaces "ChallengeResponseAuthentication"

            Changing port 22 to 202 doesn't make the attack more secure, hackers have started scanning all ports that send back a header that SSH is running on that port.

            You have to uncomment the line to make it work.

            humptydumptyH 1 Reply Last reply
            2
            • matix131997M matix131997

              I see you've added another post about it 😄

              If you want good security then set up as below. This is the way I use on all servers and where possible on the provider's external firewall I restrict the port on the VPN IP.

              PermitRootLogin prohibit-password
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes

              prohibit-password - This they started using from version 22.04 as a new security method.

              KbdInteractiveAuthentication is the newer line that replaces "ChallengeResponseAuthentication"

              Changing port 22 to 202 doesn't make the attack more secure, hackers have started scanning all ports that send back a header that SSH is running on that port.

              You have to uncomment the line to make it work.

              humptydumptyH Offline
              humptydumptyH Offline
              humptydumpty
              wrote on last edited by
              #6

              @matix131997 the exact post I'm looking for! Thank you!

              1 Reply Last reply
              1
              • matix131997M Online
                matix131997M Online
                matix131997
                wrote on last edited by matix131997
                #7

                In Ubuntu 24.04 the restart does not work with "systemctl restart sshd", but only with "systemctl restart ssh.service".

                1 Reply Last reply
                2
                • nebulonN nebulon marked this topic as a question on
                • nebulonN nebulon has marked this topic as solved on
                • humptydumptyH humptydumpty referenced this topic on
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes

                • Login
                • Don't have an account? Register
                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search