Here are couple ways on how to change your sshd default configuration settings to make ssh daemon more secure / restrictive and thus protecting your server from unwanted intruders.


Everytime you make changes in the sshd configuration file you need to restart sshd. By doing so your current connections will not be closed ! Make sure that you have a separate terminal open with root logged-in in case that you do some misconfiguration. This way you do not lock your self out from your own server.

Change a default ssh port number

First, it is recommend to change your default port 22 to some other port number higher then 1024. Most of the port scanners do not scan ports higher then 1024 by default. Open sshd configuration file /etc/ssh/sshd_config and find a line which says

Port 22

and change it to:

Port 10000

now restart your sshd:

 /etc/init.d/ssh restart

From now on you will need to login to your server using a following linux command:

ssh -p 10000 This email address is being protected from spambots. You need JavaScript enabled to view it.

Allow only specific host to connect

In this step we wil impose some resctrictions on from which IP address is a client able to connect vie ssh to the server. Edit /etc/hosts.allow and add line:

sshd: X

where X is a IP address of the host allowed to connect. If you wich to add more IP addresses list separate each IP address with " ".
Now deny all other host by editing /etc/hosts.deny file and add a following line:

sshd: ALL

Allow only specific users to login

Not every user on the system needs to use ssh server facility to connect. Allow only specific users to connect to your server. For example if user foobar is has an account on your server and this is the only users which needs an access to the server via ssh you can edit /etc/ssh/sshd_config and add line:

AllowUsers foobar

If you wich to add more users to the AllowUsers list separate each user name with " ".

Do not allow root ssh login

It is always wise to not to connect via ssh as a root user. You can enforce this idea by editing /etc/ssh/sshd_config and changing or creating line:

PermitRootLogin no

Please refer all article related questions to:

You may also be interested in: