How to Secure OpenSSH (SSHD) on Linux

OpenSSH is a widely recognized open-source alternative to proprietary Secure Shell software. It provides SSH connectivity tools that enable remote login and file transfer via SCP or SFTP. OpenSSH was developed as an open-source alternative to proprietary Secure Shell software, and its options are controlled through the /etc/ssh/sshd_config file.

To enhance the security of the OpenSSH server, certain default sshd settings need to be modified.

This short guide will show you three examples of how to secure OpenSSH (SSHD) on Linux. These steps have been tested on CentOS 6.3 and may work on CentOS 6.2, CentOS 5.x, Redhat Enterprise Linux 5 (RHEL 5), and Redhat Enterprise Linux 6 (RHEL 6).

Changing the Default SSH Port

By default, SSH operates on port 22. An attacker would need to know the SSH port number to access your system. One method to enhance security is to change the default port to a non-standard port, which can help prevent brute force attacks.

#Port 22

Uncomment and change to:

Port 2202

Disabling Root Login (PermitRootLogin)

To prevent the root from logging into the server directly, add the following entry to sshd_config:

#PermitRootLogin yes

Uncomment and change to:

PermitRootLogin no

Listening to Specific IP Only

By default, SSH will listen on all of the above IP addresses. If you want users to log in only using IP addresses 192.168.1.200 and 192.168.1.202, do the following in your sshd_config:

ListenAddress 192.168.1.200
ListenAddress 192.168.1.202

Commands Mentioned

  • Port – Changes the port SSH listens on
  • PermitRootLogin – Controls whether the root user can log in
  • ListenAddress – Specifies the IP addresses SSH should listen on
See also  How to Restart Linux Network Service

Conclusion

Securing your OpenSSH server is a crucial step in protecting your system from unauthorized access and potential attacks. By changing the default SSH port, disabling root login, and specifying the IP addresses that SSH should listen on, you can significantly enhance the security of your system. Remember, these steps have been tested on CentOS 6.3 and may work on other systems like CentOS 6.2, CentOS 5.x, Redhat Enterprise Linux 5 (RHEL 5), and Redhat Enterprise Linux 6 (RHEL 6).

For more in-depth information on Apache, Nginx, and LiteSpeed servers, as well as dedicated server, VPS server, cloud hosting, and shared hosting options, visit our dedicated pages.

See also  How to Install vim on CentOS 6.2

FAQ

  1. What is OpenSSH?

    OpenSSH is an open-source alternative to proprietary Secure Shell software. It provides SSH connectivity tools that allow remote login and file transfer via SCP or SFTP.

  2. Why should I change the default SSH port?

    Changing the default SSH port to a non-standard port can enhance security by making it harder for attackers to access your system, as they would need to know the SSH port number.

  3. What does disabling root login do?

    Disabling root login prevents the root user from logging into the server directly. This is a security measure that can help protect your system from unauthorized access.

  4. What does the ListenAddress command do?

    The ListenAddress command in sshd_config specifies the IP addresses that SSH should listen on. This can be used to restrict logins to specific IP addresses.

  5. What systems are compatible with these OpenSSH security steps?

    These steps have been tested on CentOS 6.3 and may work on CentOS 6.2, CentOS 5.x, Redhat Enterprise Linux 5 (RHEL 5), and Redhat Enterprise Linux 6 (RHEL 6).

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *