The Secure Shell (SSH) suite is one of those must-have tools for Linux administrators. It allows you to take care of Linux servers from the comfort of your cubicle, or even from the comfort of your own home. Either way, it's a lot better than having to don your parka and jump through security hoops to enter a cold server room. The secure in Secure Shell means that everything that you either type or transfer gets encrypted. That eliminates the possibility of someone obtaining sensitive data by plugging a sniffer into your network.

By this stage in your Linux career, you should already know how to use Secure Shell, or SSH, to do remote logins and remote file transfers. What you may not know is that the default configuration of SSH is actually quite insecure. In this chapter, we'll look at how to harden the default configuration in various ways. We'll look at how to use encryption algorithms that are stronger than the default, how to set up passwordless authentication, and how to set up a jail for users of the Secure File Transfer Protocol (SFTP). As a bonus, we'll look at how to scan SSH servers to find vulnerable configurations and how to share a remote directory via Secure Shell Filesystem (SSHFS).

In this chapter, we'll cover the following topics:

• Ensuring that SSH protocol 1 is disabled
• Creating and managing keys for passwordless logins
• Disabling root user login
• Disabling username/password logins.
• Configuring Secure Shell with strong encryption algorithms
• Setting system-wide encryption policies on RHEL 8/CentOS 8
• FIPS mode on CentOS 8/Red Hat 8
• Configuring more detailed logging
• Access control with whitelists and TCP Wrappers
• Configuring automatic logouts and security banners
• Other miscellaneous security settings
• Setting up different configurations for different hosts
• Setting up different configurations for different users and groups
• Scanning an SSH server
• Setting up a chroot environment for SFTP users
• Setting up shared directories with SSHFS
• Remotely connecting from Windows desktops

So, if you're ready, let's get started.