The Secure Shell daemon should be hardened to prevent unauthorized access before being put into production.
Verify that /etc/ssh/sshd_config contains the following lines and that they are not commented out.
- Protocol 2
- IgnoreRhosts yes
- HostbasedAuthentication no
- PermitRootLogin no
- Banner /etc/issue (See banner example below)
- PermitEmptyPasswords no
- AllowTcpForwarding no (unless needed)
- X11Forwarding no
- AllowUsers (Optional)
- DenyUsers (Optional)