Many network services like telnet, rlogin, and rsh are vulnerable to eavesdropping which is one of several reasons why SSH should be used instead. Red Hat’s default configuration for SSH meets the security requirements for many environments. However, there are a few parameters in /etc/ssh/sshd_config that you may want to change on RHEL and other Linux systems.
The chapter Restricting System Access from Servers and Networks shows how direct logins can be disabled for shared and system accounts including root. But it’s prudent to disable direct root logins at the SSH level as well.
Also ensure to have privilege separation enabled where the daemon is split into two parts. With privilege separation a small part of the code runs as root and the rest of the code runs in a chroot jail environment. Note that on older RHEL systems this feature can break some functionality, for example see Preventing Accidental Denial of Service.
Since SSH protocol version 1 is not as secure you may want to limit the protocol to version 2 only:
You may also want to prevent SSH from setting up TCP port and X11 forwarding if you don’t need it:
AllowTcpForwarding no X11Forwarding no
Ensure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user’s home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won’t be able to login.
Ensure that all host-based authentications are disabled. These methods should be avoided as primary authentication.
IgnoreRhosts yes HostbasedAuthentication no RhostsRSAAuthentication no
Disable sftp if it’s not needed:
#Subsystem sftp /usr/lib/misc/sftp-server
After changing any directives make sure to restart the sshd daemon: