{"id":4133,"date":"2012-10-29T23:33:19","date_gmt":"2012-10-29T15:33:19","guid":{"rendered":"https:\/\/webhostinggeeks.com\/howto\/?p=4133"},"modified":"2023-06-22T17:30:19","modified_gmt":"2023-06-22T17:30:19","slug":"how-to-secure-openssh-sshd-on-linux","status":"publish","type":"post","link":"https:\/\/webhostinggeeks.com\/howto\/how-to-secure-openssh-sshd-on-linux\/","title":{"rendered":"How to Secure OpenSSH (SSHD) on Linux"},"content":{"rendered":"<p>OpenSSH is a widely recognized open-source alternative to proprietary Secure Shell software. It provides SSH connectivity tools that enable remote login and file transfer via SCP or SFTP. OpenSSH was developed as an open-source alternative to proprietary Secure Shell software, and its options are controlled through the \/etc\/ssh\/sshd_config file.<\/p>\n<p>To enhance the security of the OpenSSH server, certain default sshd settings need to be modified.<\/p>\n<p>This short guide will show you three examples of how to secure OpenSSH (SSHD) on Linux. These steps have been tested on CentOS 6.3 and may work on CentOS 6.2, CentOS 5.x, Redhat Enterprise Linux 5 (RHEL 5), and Redhat Enterprise Linux 6 (RHEL 6).<\/p>\n<h2>Changing the Default SSH Port<\/h2>\n<p>By default, SSH operates on port 22. An attacker would need to know the SSH port number to access your system. One method to enhance security is to change the default port to a non-standard port, which can help prevent brute force attacks.<\/p>\n<pre>\r\n#Port 22\r\n<\/pre>\n<p>Uncomment and change to:<\/p>\n<pre>\r\nPort 2202\r\n<\/pre>\n<h2>Disabling Root Login (PermitRootLogin)<\/h2>\n<p>To prevent the root from logging into the server directly, add the following entry to sshd_config:<\/p>\n<pre>\r\n#PermitRootLogin yes\r\n<\/pre>\n<p>Uncomment and change to:<\/p>\n<pre>\r\nPermitRootLogin no\r\n<\/pre>\n<h2>Listening to Specific IP Only<\/h2>\n<p>By default, SSH will listen on all of the above IP addresses. If you want users to log in only using IP addresses 192.168.1.200 and 192.168.1.202, do the following in your sshd_config:<\/p>\n<pre>\r\nListenAddress 192.168.1.200\r\nListenAddress 192.168.1.202\r\n<\/pre>\n<h2>Commands Mentioned<\/h2>\n<ul>\n<li><span class=\"fw-bold\">Port<\/span> \u2013 Changes the port SSH listens on<\/li>\n<li><span class=\"fw-bold\">PermitRootLogin<\/span> \u2013 Controls whether the root user can log in<\/li>\n<li><span class=\"fw-bold\">ListenAddress<\/span> \u2013 Specifies the IP addresses SSH should listen on<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>Securing your OpenSSH server is a crucial step in protecting your system from unauthorized access and potential attacks. By changing the default SSH port, disabling root login, and specifying the IP addresses that SSH should listen on, you can significantly enhance the security of your system. Remember, these steps have been tested on CentOS 6.3 and may work on other systems like CentOS 6.2, CentOS 5.x, Redhat Enterprise Linux 5 (RHEL 5), and Redhat Enterprise Linux 6 (RHEL 6).<\/p>\n<p>For more in-depth information on <a href=\"https:\/\/webhostinggeeks.com\/blog\/apache-http-server-explained\/\">Apache<\/a>, <a href=\"https:\/\/webhostinggeeks.com\/blog\/nginx-server-explained\/\">Nginx<\/a>, and <a href=\"https:\/\/webhostinggeeks.com\/blog\/litespeed-web-server-explained\/\">LiteSpeed<\/a> servers, as well as <a href=\"https:\/\/webhostinggeeks.com\/blog\/what-is-dedicated-server-hosting\/\">dedicated server<\/a>, <a href=\"https:\/\/webhostinggeeks.com\/blog\/what-is-vps-hosting\/\">VPS server<\/a>, <a href=\"https:\/\/webhostinggeeks.com\/blog\/what-is-cloud-hosting\/\">cloud hosting<\/a>, and <a href=\"https:\/\/webhostinggeeks.com\/blog\/what-is-shared-hosting\/\">shared hosting<\/a> options, visit our dedicated pages.<\/p>\n<h2>FAQ<\/h2>\n<ol itemscope itemtype=\"https:\/\/schema.org\/FAQPage\">\n<li itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\n<p class=\"fw-bold\" itemprop=\"name\">What is OpenSSH?<\/p>\n<p itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n                <span itemprop=\"text\">OpenSSH is an open-source alternative to proprietary Secure Shell software. It provides SSH connectivity tools that allow remote login and file transfer via SCP or SFTP.<\/span>\n            <\/p>\n<\/li>\n<li itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\n<p class=\"fw-bold\" itemprop=\"name\">Why should I change the default SSH port?<\/p>\n<p itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n                <span itemprop=\"text\">Changing the default SSH port to a non-standard port can enhance security by making it harder for attackers to access your system, as they would need to know the SSH port number.<\/span>\n            <\/p>\n<\/li>\n<li itemscopeitemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\n<p class=\"fw-bold\" itemprop=\"name\">What does disabling root login do?<\/p>\n<p itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n                <span itemprop=\"text\">Disabling root login prevents the root user from logging into the server directly. This is a security measure that can help protect your system from unauthorized access.<\/span>\n            <\/p>\n<\/li>\n<li itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\n<p class=\"fw-bold\" itemprop=\"name\">What does the ListenAddress command do?<\/p>\n<p itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n                <span itemprop=\"text\">The ListenAddress command in sshd_config specifies the IP addresses that SSH should listen on. This can be used to restrict logins to specific IP addresses.<\/span>\n            <\/p>\n<\/li>\n<li itemscope itemprop=\"mainEntity\" itemtype=\"https:\/\/schema.org\/Question\">\n<p class=\"fw-bold\" itemprop=\"name\">What systems are compatible with these OpenSSH security steps?<\/p>\n<p itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n                <span itemprop=\"text\">These steps have been tested on CentOS 6.3 and may work on CentOS 6.2, CentOS 5.x, Redhat Enterprise Linux 5 (RHEL 5), and Redhat Enterprise Linux 6 (RHEL 6).<\/span>\n            <\/p>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSH is a widely recognized open-source alternative to proprietary Secure Shell software. It provides SSH connectivity tools that enable remote login and file transfer via SCP or SFTP. OpenSSH was&#8230;<\/p>\n","protected":false},"author":6,"featured_media":2824,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wds_primary_category":0,"footnotes":""},"categories":[1058],"tags":[1244,1253,1254,1536,1546,1622,1624,1706,1713,1715,1795],"class_list":["post-4133","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ssh","tag-centos","tag-centos-6-2","tag-centos-6-3","tag-linux","tag-linux-utilities","tag-openssh","tag-openssh-server","tag-remote-ssh","tag-rhel","tag-rhel-6","tag-ssh"],"_links":{"self":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/4133","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/comments?post=4133"}],"version-history":[{"count":0,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/4133\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media\/2824"}],"wp:attachment":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media?parent=4133"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/categories?post=4133"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/tags?post=4133"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}