Here are couple ways on how to change your sshd default configuration settings to make ssh daemon more secure / restrictive and thus protecting your server from unwanted intruders.
Everytime you make changes in the sshd configuration file you need to restart sshd. By doing so your current connections will not be closed ! Make sure that you have a separate terminal open with root logged-in in case that you do some misconfiguration. This way you do not lock your self out from your own server.
Change a default ssh port number
First, it is recommend to change your default port 22 to some other port number higher then 1024. Most of the port scanners do not scan ports higher then 1024 by default. Open sshd configuration file /etc/ssh/sshd_config and find a line which says
and change it to:
now restart your sshd:
From now on you will need to login to your server using a following command:
Allow only specific host to connect
In this step we wil impose some resctrictions on from which IP address is a client able to connect vie ssh to the server. Edit /etc/hosts.allow and add line:
where X is a IP address of the host allowed to connect. If you wich to add more IP addresses list separate each IP address with " ".
Now deny all other host by editing /etc/hosts.deny file and add a following line:
Allow only specific users to login
Not every user on the system needs to use ssh server facility to connect. Allow only specific users to connect to your server. For example if user foobar is has an account on your server and this is the only users which needs an access to the server via ssh you can edit /etc/ssh/sshd_config and add line:
If you wich to add more users to the AllowUsers list separate each user name with " ".
Do not allow root ssh login
It is always wise to not to connect via ssh as a root user. You can enforce this idea by editing /etc/ssh/sshd_config and changing or creating line: