BIP KB:
How To Secure ssh

Article By tapish01 Ranjan


BIP media KB Knowledge Base Community Author

Secure SSH Linux Terminal BIP media

Here are couple ways to change your sshd default configuration settings and make / Secure ssh daemon more secure / restrictive and thus protect your server from unwanted intruders.

NOTE:

Everytime you make changes in the sshd configuration file you need to restart sshd. By doing so, your current connections will not be closed ! Make sure that you have a separate terminal open with root logged-in in case you do some misconfiguration. This way you will not lock yourself out of your own server.

1. Change a default port number to secure ssh

First, it is recommend to change your default port 22 to some other port number higher then 1024. Most of the port scanners do not scan ports higher then 1024 by default. Open the sshd configuration file /etc/ssh/sshd_config and find a line which says

Port 22
and change it to:
Port 10000How To Secure ssh

now restart your sshd:

 /etc/init.d/ssh restart

From now on you will need to login to your server using a following command:

ssh -p 10000 
name@myserver.local

2. Allow only specific host to connect

In this step we will add some restrictions to only allow certain IP address to connect vie Secure ssh to the server. Edit /etc/hosts.allow and add line:

sshd: X

where X is the IP address of the host which is allowed to connect. If you wish to add more IP addresses list them separate. Each IP address must have  " " around the IP.

Now deny all other host by editing /etc/hosts.deny file and add a following line:

sshd: ALL

3. Allow only specific users to login

Not every user on the system needs to use ssh to connect. Allow only specific users to connect to your server. For example, if user bob has an account on your server and this is the only users who needs  access to the server via ssh then edit /etc/ssh/sshd_config and add line:

AllowUsers bob

If you would like to add more users to the AllowUsers list separate each user name with " ".

4. Do not allow root ssh login

It is always wise to restrict direct root access via ssh. You can enforce this by editing /etc/ssh/sshd_config and changing or creating line:

PermitRootLogin no



Tags: , , , , , , , , , , , , , , , , , , ,

Spin up a VPS server in no time flat

Simple setup. Full root access. Straightforward pricing.

DEPLOY VPS SERVER

Leave a Reply



Feedbacks