Enhance SSH security on frist boot

webfinder42 · September 25, 2023, 5:37pm

What steps can I include in a first boot script to enhance SSH security on my DietPi installation?
I want to make sure my SSH server is as secure as possible from the start, so ex. I don’t need to change port etc. every time

I was wondering if anyone of you had already made that script to hardening settings to SSH in the Automation_Custom_PreScript.sh file?
Please note: I’m using OpenSSH, not Dropbear.

Joulinar · September 25, 2023, 8:32pm

change SSH port
lock SSH login for user root
use SSH keys instead of password login

webfinder42 · October 11, 2023, 11:31am

Thanks for the update, i could see if i use openssh i would need to add this this file right: /etc/ssh/sshd_config.d/dietpi.conf

I guess that is some of the settings you are refereeing too?

Would a script like this work:

#!/bin/bash

Define the settings

settings="
PubkeyAuthentication yes
PasswordAuthentication no
UsePAM no
PermitRootLogin no
X11Forwarding no
Port XXXX
"

Append the settings to the dietpi.conf file

echo “$settings” | sudo tee -a /etc/ssh/sshd_config.d/dietpi.conf > /dev/null

edit, I already set the id_ed25519 key(s) with dietpi.txt