Securing SSHd

The last thing you want is your Linux or Unix server to get hacked. And even though SSH is an encrypted there are a number of steps you can take to secure your SSH daemon. We will do 4 different things to secure sshd. For all these changes we will be editing the /etc/ssh/sshd_config file, use whatever is your favorite editor. In these examples we are leaving the commented lines for future reference.

Binding to 1 Port
First we bind SSHd to a specific port. We do this because hackers will expect that you are going to use port 22 for SSH. You can change it to any random 4 or 5 digit number.

Find where it says:

And enter a new line below it like this(change 7676 to your own number):

Binding to SSHv2
Next we are going to only allow access to SSH version 2, and not SSH version one. We do this because SSH version 2 is a more secure protocol.

Find where it says:

And enter a new line below it like this:

Binding to 1 IP Address
Third we will bind SSHd to a single IP address. The reason we do this is imagine that you have a webserver with 5 IPs (192.168.1.2 . 192.168.1.6) and you have all your hosted clients on 192.168.1.2. Most people trying to gain access are going to try to connect to that IP address. To make it more secure, we will take one IP out of your allocated space and use it only for SSH access. We will call this our Server Administion IP, say 192.168.1.6.

Find where it says:

And enter a new line below it like this:

As a side note, if you use IPv6, there is a line below #ListenAddress 0.0.0.0 that is #ListenAddress ::. You can use this format to bind to a IPv6 address.

Disabling SSH access via root account
Fourth, we are going to disable SSH access for the root account. We do this for security reasons. If for some reason your root password was comprimised, and root was allowed to SSH in, your system would be compromised. If you have disabled SSH access for root, then the hacker would have to also figure out another authorized user.s password to SSH in, then su to root. So this provides one more layer of security. But this does not protect against bad passwords.

Find where it says:

And enter a new line below it like this:

Make the changes take effect
The last thing we need to do is restart the SSH process. This depends on which distribution you are running, but more RedHat based distros do it this way:

Finally, to gain access to your system, you would now ssh to 192.168.1.6 port 7676

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
The following two tabs change content below.

Tapas Mishra

Sr. Engineer (DevOps)
Loves to work on Opensource products. Having experience on Linux environment. Knowledge on Public cloud services like AWS, Rackspace, DigitalOcean, Linode. Please don't hesitate to give a comment on the posts. Your comments are my strength.

Leave a Reply