how to secure ssh server

This article will help you to secure the OpenSSH server in a modern way. The main configuration file of the ssh server is /etc/ssh/sshd_config, and techs normally edit this file and make changes. But there is a drawback to this. If the Operating system updates the openSSH server, you have to edit it again or keep the old sshd_config . We don't do that here. We leave the sshd_config as it is.

Where do we place the settings?

There is a folder called /etc/ssh/sshd_config.d/ and we put all our tweak settings here. The openssh server will load the configuration from this folder and apply the changes.

How to secure the OpenSSH server?

There are several ways to secure SSH settings. Please follow the documents and make the changes.

1. Start with a disclaimer banner

Every organization needs a security policy to inform the client before using the SSH. Create the following banner file, /etc/

cat << EOF > /etc/

Warning! Authorized use only.
This server is the property of QULS LLC

Now enable this banner in openSSH configuration, /etc/ssh/sshd_config.d/00-banner.conf

echo "Banner /etc/" > /etc/ssh/sshd_config.d/00-banner.conf

2. Prevent empty passwords

We don't need some one use empty passwords to access the SSH server. Empty passwords are a bad idea. You may have other utilities, such as Plug-gable Authentication Modules (PAM), regulating your regular passwords, but it's also a good idea to make sure SSH enforces responsible security settings, too.

To disable empty passwords create the configuration file , /etc/ssh/sshd_config.d/01-noemptypasswords.conf

echo "PermitEmptyPasswords no" > /etc/ssh/sshd_config.d/01-noemptypasswords.conf

3. Change the default SSH Port

SSH default listens on port 22 , which is always a victim of brute force attacks. We never use this port. We are going to change the SSH Port to another one let us say, 1234 .

To make changes to the SSH port add the port configuration in /etc/ssh/sshd_config.d/02-port.conf

echo "Port 1234" > /etc/ssh/sshd_config.d/02-port.conf

4. Limit access of root user

It is always to control the permission of the root user to access the SSH server. This has been performed by setting the variable PermitRootLogin . This variable accepts the three values as yes , no , and prohibit-password

  • yes - This option will allow the root user with a password
  • no - This option will disable the direct ssh of the root user
  • prohibit-password - This option will allow root user but with ssh-keys only,

We are going to allow the root user with ssh-key access only.

Add the PermitRootLogin option to the configuration file /etc/ssh/sshd_config.d/03-permitroot.conf

echo "PermitRootLogin prohibit-password" > /etc/ssh/sshd_config.d/03-permitroot.conf

5. Control Idle timeout

This option will close the client connection if there is no response from the client side after a certain period. We don't need to keep the connection option if the user is not on his workstation. With open connections, anyone can access the SSH server. We are going to set ClientAliveInterval and ClientAliveCountMax variables to make this adjustment.

  • ClientAliveInterval is how much time the SSH server needs to check for active connections.
  • ClientAliveCountMax defines how many times the server will do this before deciding the client isn't there anymore. At that point, the connection is dropped.

We are going to set the 5-minute interval time for the inactive client connections.

Create the configuration file /etc/ssh/sshd_config.d/04-timeouts.conf

echo "ClientAliveInterval 300" > /etc/ssh/sshd_config.d/04-timeouts.conf
echo "ClientAliveCountMax 3" > /etc/ssh/sshd_config.d/04-timeouts.conf

6. Limit Login/Access Attempts

This option will limit access to the SSH server after a certain number of failed login attempts. It is always good to use this option to reduce brute-force attacks. We use the variable MaxAuthTries to limit the failed login attempts.

Add the configuration /etc/ssh/sshd_config.d/05-limitaccess.conf

echo "MaxAuthTries 3" > /etc/ssh/sshd_config.d/05-limitaccess.conf

7. Disable TCP forwarding

Attackers can try to gain access to your other systems by port forwarding through SSH connections. To prevent this, you can turn off the AllowTcpForwarding .

Add the configuration file , /etc/ssh/sshd_config.d/06-notcpforward.conf

echo "AllowTcpForwarding no" > /etc/ssh/sshd_config.d/06-notcpforward.conf

8. Disable X-Window connections

We don't need someone to run a browser on your SSH server. Prevent all GUI applications running through the SSH server using the variable AllowTcpForwarding

Create the configuration file /etc/ssh/sshd_config.d/07-nox11.conf

echo "X11Forwarding no" >  /etc/ssh/sshd_config.d/07-nox11.conf

9. IP restrictions to sshd service.

We use /etc/hosts.allow, to white list access from certain IPs. This file can be used to restrict the SSH permission, allow a specific IP block, or enter a single IP and block all remaining IP addresses with the deny command.

An example for allowing ip address range is as follows

echo "sshd : : ALLOW" >> /etc/hosts.allow

10. Install a firewall on the server

You should always install and configure a firewall on your server. We recommend installing C onfig Server Security and Firewall (CSF) . This is a good firewall based on iptables. The LFD daemon associated with CSF will block brute-force attempts.

11. Resart OpenSSH server

The final step is to restart the openssh server to apply the above changes.

systemctl restart sshd.service

In addition to the above settings, you can use AllowUsers , AllowGroups , DenyUsers , and DenyGroups settings to control who can log in to the SSH server. In a hosting server, everyone with shell access would be able to ssh to the server. So using these settings may limit the access.

The Eenos hosting control panel supports the CSF firewall. It is auto-integrated with the Eenos BFD settings.

400x400 - twitter -EEE

Eric Stephen

Sr.Software Engineer

Eric is a Senior software Engineer. He is a linux geek and have good knowledge in building custom Linux applications. He is also an expert python programmer.

Eenos is a modern high-performance hosting control panel. You can host your traditional websites and modern Fintech apps with Eenos. You can deploy your Artificial intelligence, Chatbot, and data analytics web apps on Eenos with one click.

Latest Promotions

Need Any Help? Or Looking For Custom Pricing

© . All Rights Reserved.