Securing Your SSH Server

Linux is pretty secure as is and SSH is one of the best remote terminal access you can get, however there are some simple tweaks you can do to protect you ssh server from DOS attacks, login hammering etc etc etc.

I have done a how to for the software fail2ban which helps protect you from DOS and failed attempted logins but you can help even more by doing a few more modifications

Almost all modifications deal with modifying one file, the ssh daemon configuration file, so first lets open that up

Open Configuration File For Editing

Change Default Port

Port scanners scan for the usual ports, if you dont use the normal port you most likely will get passed by if someone scans your server. The following will change you port to 5555, so bear this in mind when you try to conenct to the server again as you will most likely have to specify this different port in the client connection screen.


Disable Root Login

Not allowing root just makes basic security sense. You can still login as a normal user and then using sudo to complete a root command. This works even better as every time you use sudo it is logged. Look for the entry marked "PermitRootLogin" and change it to

Use Protocol Version 2

Some servers can do both version 1 and 2 conections, however v2 is much more secure. You can force version 2 connections only by uncommenting or modifying / adding the following entry

Restrict Who Can Login

If only a few users need ssh access you can limit who can login. To allow only the users bob dave and sam to login use the following entry, all other users will not be allowed to login

I find it really helpful to make a sshusers group and then only allowing that group, or if you already have a group made like admin you can allow just that group by the following

Comit Your Changes

In order for the SSH server to take these new settings you have to reload it...