How to Secure and Harden SSH?

Secure Shell is a command line interface to access remote Linux server. SSH is based on network protocol and can use to execute various command line operations and data transfer. SSH protocol can also be used to perform scp(Secure Copy) and sftp(Secure File Transfer).

We can use both Windows and Unix based system to create SSH connection to remote system

In this tutorial we will show you some steps to improve the security of SSH connection.


1: Disable Default Port.

By default SSH uses port 22.  Majority of automated attacks are based on default port. Once it changed it is bit harder for attackers to find which port you are using for SSH communication.

Steps to change SSH port:

1) Login to server as root user.

2) Make a backup of SSH configuration file ssd_config as shown below.

root@test:/# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak


3) Open  the file sshd_config. You can use text editors such as nano, vim etc. To edit the file. Here I am using nano.

root@test:/# nano /etc/ssh/sshd_config


Then locate the entry “Port”. As I mentioned by default it is 22. So change it to a custom value and save the file.



4) Restart SSH service

root@test:/# service ssh restart



2: Allow Users/Groups

It is necessary to limit SSH access to specific users as part of server hardening. We can easily accomplish this by editing SH configuration file sshd.config.

Open the file:

root@test:/# nano /etc/ssh/sshd_config


Then add the option “AllowUsers” and add the user names as shown below. Only the listed users will have access to server.



In the above case only users user1, user2 and user3 have access to server.

Also you can limit access to specific group by adding “AllowGroups” in sshd_config file.




3: Block Users/Group

You can block specific users instead of allowing specific users. You need to add the entry “DenyUsers” to SSH configuration file to do this.



In this same way if you want to block specific group, add “DenyGroups”.



4: Disable Direct Root Access

By default SSH allows root user to access server. We can disable direct root access to enhance security.

To disable direct root access find the line “ PermitRootLogin Yes” in ssh_config file and change it to “PermitRootLogin No”.



5: Disable Protocol 1:

SSH have two protocols. Protocol 1 and Protocol 2.  The older protocol 1 have a lot of vulnerabilities and it should be disabled. Use Protocol 2 only. You can accomplish this by editing sshd_config file as shown below.



That is how you secure your SSH.


If you need any further help, please do reach our support department.