Good points on SSH control. Another option is port knockd. This completely shuts down or opens a port when you ping a few ports in sequence. Also, to eliminate the hassle of copying a public key all over the place is to use -A option for forwarding, this is useful when you have a cluster of systems and centralize your access to a single jump server.

The guidance given was lucid and highly informative, simplifying the process for easy comprehension. The accompanying KZbin video proved especially beneficial, offering a visual walk through of the steps. It's essential to mention, though, that there was no coverage of updating UFW (Uncomplicated Firewall), a point of significance for users with an active firewall. In general, the material was well-structured and enlightening. Thanks a lot! P.S. Your videos have been a favourite of mine for many years, and I appreciate the valuable content you consistently provide.

Jay, Another important thing to remember if running Redhat or Centos is SElinux, is adding a non-standard port to SElinux. with commands like... semanage port -l | grep ssh_port # Which will show which ports SSH is using. semanage port -a -t ssh_port_t -p tcp (port number) # Adds a port number. semanage port -d -t ssh_port_t -p tcp (port number) # Deletes a port number. And of course firewall configurations .... Other wise a great video. Keep up the great work.

i know this is an old video, but i think 31:45 would be an important timestamp to put in the description. it's basically "using a user whitelist for SSH". i think the chapters for this video got automatically generated by youtube.

This tutorial on ssh hardening is not just good. It's excellent !! Thank you, Jay.

Im just starting out with linux and aws, this video was so heplful really appreciate it. implementing these changes into my project tonight thank you!

Awesome video on ssh hardening 🎉🎉🎉 Thanks Jay

What if the computer you use to create the key 🔑 is no longer available for X reason? How would one log into the server?

Thank you very much. clearly explained and very instructive.

I also install fail2ban, just to prevent those persistent brute-force attacks from clogging up my logs

Fantastic video! 👍👍

Much appreciated. Very thorough tutorial.

Nice, and + I've learned one more shortcut: "Ctrl + D" to disconnect from ssh session instead of "exit -> [Enter]" =)

@16:50 - ssh-keygen. How does one generate an ECDSA or ED25519 key? the command you used generate an RSA key. - can i copy the private key (from ubuntu) to another linux PC (ubuntu2) to then login to server1 using the same username (jay)? -

The way you explain is easy to understand for beginer like me. thanks a lot

Jay, thank you for your video! Learned a lot.

For people who didn't have netstat, you can see the port when > running sudo systemct status ssh

I think you could also point to Lynis as a way to audit the security of a box, respectively, how you can further harden OpenSSH.

Thanks as always. What would be the process to go from endpoint A to B and B to A. Can one have a single cert that allows connection to and from countless devices?

You should also write an article about this. I think it's better for those who don't want to watch a video.

Nice, thanks for sharing

Great content thank you

U did not show how to restrict by computer name or ip by editing files in the .ssh dir

Extremely useful video, as usual.

Lots of good stuff. Thanks.

it is very helpful video Thank you

Jay Great Video!

You could also use 2fa

Thank you, Jay.

Yet I'm still stuck at Ubuntu Server 14 at work! Let's wait for 20 LTS they say'

Godsend. Thanks

Wait a sec....if you had 2 root ssh sessions to the same server and used one to config then restart the sshd the second root login was stale or there but not connected any longer.

>standard ssh-keygen Absolutely disgusting.

tcpwrappers