A friend of mine recently had his web server cracked, assumedly through an OpenSSH exploit. So I figured it was a good time to jot down a few of the tips and tricks I have found over the years for locking down an SSH server.
First off, anyone who wants to lock down sshd should get cozy with the manual for sshd_config.
- Use a non-standard port.
- Passwordless logins only.
- Dis-allow root logins.
- Use SSHv2.
Usually the SSH server listens on port 22. You can thwart most port scans of your machine by running your services on non-standard ports. In the sshd_config file this is achieved with the Port attribute. Then on the client side you can specify your designated port with the -p option.
A password is much more difficult to guess when it is a 1024 bit RSA key. So turn off PasswordAuthentication, and generate a key pair using the ssh-keygen tool. ssh-keygen -t rsa will generate two files: id_rsa (private key) and id_rsa.pub (public key) in your $HOME/.ssh/ directory. Just copy your public key file to $HOME/.ssh/authorized_keys on the server you wish to log in to.
You will compound the difficulty of gaining root access on your box through ssh if you simply don’t allow root to log in through ssh. Turn off PermitRootLogin. Now if someone wants to gain root access through ssh on your machine they will have to get through all the above defenses and then guess your root password once on the box.
It is generally accepted that SSHv2 is a more secure protocol than SSHv1, and it is simple enough to only use version 2. Set Protocol to 2 only.
Those are the basics to locking down sshd through the config file. Another option, if you know you will only connect to your SSH server from a specific machine or subnet, is to drop all other packets at your firewall, but that’s a topic for another entry. 
Thanks for the tips. There’s some really good info in there.
Passwordless logins aren’t a good idea. Rather, specify a password when creating your key.