Trim Castle Moat by Sean Munson Two new-to-me techniques for keeping your server free from SSH brute force attacks by tuning up your /etc/ssh/sshd_config file. I know that using IP Address based security is probably more secure, but I wanted to find a solution that could yield higher security without limiting IP addresses. I like to be able to access the machines I need to access without having to be at a specific location, or have a vpn, or ssh through a couple machines before I can access the machine I need. I recognize those solutions are likely more secure but, I'm trying to avoid, IP based security restrictions if possible.

Stop people from attempting to login as root

Add (or find and modify the this line: PermitRootLogin no This simply doesn't allow people to login directly to your box under the root user. Simple enough. Not letting people log in directly as root takes away one of the well known users that people will attempt to login as. This means that everyone who wants to gain root will first have to login as another (more obscure) user on the system, which leads me to.

Only Allow Logins from specified users

Add (or find and modify the this line: AllowUsers username1 username2 This means that only these users are allowed to login. Every other user cannot. This is handy because it eliminates all those other user accounts that are created on the system, which probably aren't but might currently have ssh access.

Neither of these techniques strike me as silver bullet solutions, but as I'm realizing there are no silver bullet solutions in keeping a machine secure. So consider these two more possibilities for further guarding the machines. Like a moat around the castle walls.