Contents[Hide]

Here are couple ways on how to change your sshd default configuration settings to make ssh daemon more secure / restrictive and thus protecting your server from unwanted intruders.

NOTE:

Everytime you make changes in the sshd configuration file you need to restart sshd. By doing so your current connections will not be closed ! Make sure that you have a separate terminal open with root logged-in in case that you do some misconfiguration. This way you do not lock your self out from your own server.

1. Change a default ssh port number

First, it is recommend to change your default port 22 to some other port number higher then 1024. Most of the port scanners do not scan ports higher then 1024 by default. Open sshd configuration file /etc/ssh/sshd_config and find a line which says

Port 22

and change it to:

Port 10000

now restart your sshd:

 /etc/init.d/ssh restart

From now on you will need to login to your server using a following command:

ssh -p 10000 This email address is being protected from spambots. You need JavaScript enabled to view it.

2. Allow only specific host to connect

In this step we wil impose some resctrictions on from which IP address is a client able to connect vie ssh to the server. Edit /etc/hosts.allow and add line:

sshd: X

where X is a IP address of the host allowed to connect. If you wich to add more IP addresses list separate each IP address with " ".
Now deny all other host by editing /etc/hosts.deny file and add a following line:

sshd: ALL

3. Allow only specific users to login

Not every user on the system needs to use ssh server facility to connect. Allow only specific users to connect to your server. For example if user foobar is has an account on your server and this is the only users which needs an access to the server via ssh you can edit /etc/ssh/sshd_config and add line:

AllowUsers foobar

If you wich to add more users to the AllowUsers list separate each user name with " ".

4. Do not allow root ssh login

It is always wise to not to connect via ssh as a root user. You can enforce this idea by editing /etc/ssh/sshd_config and changing or creating line:

PermitRootLogin no



Free Linux eBooks

Do you have the right skills?

Our IT Skills Watch page reflects an up to date IT skills demand leaning towards the Linux and Unix environment. We have considered a number of skills and operating systems.

See the result...

Linux Online Training

Learn to run Linux servers and prepare for LPI certification with Linux Academy. 104 available video lessons with PDF course notes with your own server!

Go to top