Press "Enter" to skip to content

Hardening SSH access

One of the first things you do when you install a new UNIX server is to configure properly the SSH service for remote administration.

By default, OpenSSH lets sshd daemon listening on port 22, allows authentication via user/password, allows login with root user, etc.

If your server is exposed to Internet (for example a hosted VPS) it is recommended to follow the following steps in order to get the SSH service secure:

+ Deny authentication with root user

On the Internet there are thousands of malicious bots scanning all IP addresses and one of the most common scans is to check if port 22 is open and if so, they try to login into the machine with user root via brute force attack.

We must disallow this option on “/etc/ssh/sshd_config” editing the next lines:

Be aware that you will need to have other user with sudo privileges in order to login via SSH with that user. Save the file and reload the configuration of sshd:

+ Use authentication via public keys

Because weak passwords can be guessed via brute force attacks, it is better connect with our own pair of public/private RSA keys.

First we need to generate a pair of public/private RSA keys: in Windows we can use PuTTYgen.exe (Download here) while in Linux we can simply use “ssh-keygen” command. Generating a 2048 bits RSA keypair should be enough. Using a passphrase to protect the private key is optional.

Second, we must locate the new public key created. In Linux it is created under “~/.ssh/id_rsa.pub” It should have the following format:

If we are in Linux we can use the following command to copy this public key to the “/.ssh/authorized_keys” file on the remote server:

If we are in Windows we need to copy the content of the public key and add it to the file “/.ssh/authorized_keys” on the remote server.

After that, we need to modify “/etc/ssh/sshd_config” file:

Finally reload the sshd config:

+ Change the default port 22

Since all bot scanners scan privileged ports including port 22, it is recommended change the sshd daemon to listen in a non privileged port. To do this, simply modify the following line in “/etc/ssh/sshd_config”:

#Port 22
Port 2244

Reload the ssh config and then check if now is listening on the new port with ‘netstat’:

One Comment

  1. Jack
    Jack 25 February, 2018

    Thanks for you job

Leave a Reply to Jack Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.