OpenSSH default configuration file is /etc/ssh/sshd_config, which contains all the configuration used by SSH server. All the options start with # symbols are used with default settings. To change any option first remove the # symbol, change the value and restart ssh server to reload the options.
This article will help you to secure the OpenSSH Server. Before starting these setting, I will recommend keeping you OpenSSH server up to date. There are many security updates comes from time to time, so try to update OpenSSH server once in a week.
Tip 1 – Change SSH Port
By default, ssh listen on standard port 22. The first step to secure your server is to change the port, because of this is known port by everyone. Edit the configuration file:
And update the Port option as below:
Now it required to specify the port number (-p 2222) while connecting ssh remotely like below.
ssh -p 2222 [email protected]
Tip 2 – Disable Root Access
By default root user are allowed to ssh from remote clients, For security purpose, we recommend to disable direct root access. Use any non-root account for ssh and then switch ( su – ) to root account.
To do this add “PermitRootLogin no” in ssh configuration file
Tip 3 – Disable Password Authentication
This is also a best practice to secure OpenSSH server. Disable password-based authentication and use public/private key pair only. It required to add public key on the server in order to access server.
To access system using ssh, generate an ssh key pair and add a public key in server’s ~/.ssh/authorized_keys file. Only the users having private key can access the server using ssh. Read article to Setup passwordless ssh.
Tip 4 – Allow Specific Users and Groups
By default SSH server allowed all users to log in to the server. Sometimes we required to allow for some specific users or groups. Add below configuration to do the same.
Allow specific User: Use AllowUsers option to allow specific users only.
AllowUsers marc sarah
Allow Specific Groups: Use AllowGroups option to allow specific groups only.
AllowGroups admin webadmin
Deny Specific Users: Use DenyUsers to deny ssh access for specific users.
DenyUsers jack nick
Deny Specific Groups: Use DenyGroups option to deny specific groups for SSH.
DenyGroups jack nick
Tip 5 – Restrict SSH on Network Interface
This is useful for servers, which have one interface connected directly to the internet and another are connected on LAN. So it would be good to disable SSH on the internet facing interface. Use below option to do it.
ListenAddress 192.168.10.100 ListenAddress 127.0.0.1
After applying the above configuration, the OpenSSH server will listen only on the defined interface and can’t be accessed over any other interfaces.
Advance SSH Security with Port Knocking
Port knocking is not specifically depends with OpenSSH, You can use this security with any protocol like SSH, FTP or HTTP. Port knocking provides one more level of security. Read the following article to implement Port knocking