KB Knowledge Base
How To Secure ssh
Article By tapish01 Ranjan
|
Here are couple ways to change your sshd default configuration settings and make / Secure ssh daemon more secure / restrictive and thus protect your server from unwanted intruders. NOTE:Everytime you make changes in the sshd configuration file you need to restart sshd. By doing so, your current connections will not be closed ! Make sure that you have a separate terminal open with root logged-in in case you do some misconfiguration. This way you will not lock yourself out of your own server. |
1. Change a default port number to secure ssh
First, it is recommend to change your default port 22 to some other port number higher then 1024. Most of the port scanners do not scan ports higher then 1024 by default. Open the sshd configuration file /etc/ssh/sshd_config and find a line which says
Port 22and change it to:
Port 10000How To Secure ssh
now restart your sshd:
/etc/init.d/ssh restart
From now on you will need to login to your server using a following command:
ssh -p 10000
name@myserver.local
2. Allow only specific host to connect
In this step we will add some restrictions to only allow certain IP address to connect vie Secure ssh to the server. Edit /etc/hosts.allow and add line:
sshd: X
where X is the IP address of the host which is allowed to connect. If you wish to add more IP addresses list them separate. Each IP address must have " " around the IP.
Now deny all other host by editing /etc/hosts.deny file and add a following line:
sshd: ALL
3. Allow only specific users to login
Not every user on the system needs to use ssh to connect. Allow only specific users to connect to your server. For example, if user bob has an account on your server and this is the only users who needs access to the server via ssh then edit /etc/ssh/sshd_config and add line:
AllowUsers bob
If you would like to add more users to the AllowUsers list separate each user name with " ".
4. Do not allow root ssh login
It is always wise to restrict direct root access via ssh. You can enforce this by editing /etc/ssh/sshd_config and changing or creating line:
PermitRootLogin no
Tags: ssh, Secure, Server, Change, root, port, allow, allow only specific, connect, host, How To Secure ssh, login, Secure ssh, secure ssh port, secure ssh windows, Securing Your Server, specific, ssh hardening guide, sshd, users
Spin up a VPS server in no time flat
Simple setup. Full root access. Straightforward pricing.
Leave a Reply
Feedbacks
 This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. |