SSH (Secure Shell) is a powerful tool for remotely accessing Linux systems, but its default configuration can leave your server vulnerable to attacks. In this guide, we’ll walk through three key steps to harden your SSH setup: changing the default port, restricting access to specific users, and enforcing key-based authentication for the root account. By the end, we’ll provide a secure sshd_config file you can use as a starting point.
Step 1: Changing the SSH Port
By default, SSH listens on port 22, making it a prime target for automated attacks. Switching to a non-standard port like 1122 reduces the noise from bots scanning for open SSH ports.
Here’s how to do it:
1. Edit the SSH configuration file: Open /etc/ssh/sshd_config with your preferred text editor (e.g., nano or vim):
sudo nano /etc/ssh/sshd_config2. Find or add the Port directive: Look for a line that says #Port 22. If it’s commented out (with a #), remove the # and change 22 to 1122. If it’s not there, add this line:
Port 1122Then save and exit.
3. Restart the SSH service: Apply the changes by restarting the SSH daemon:
systemctl daemon-reload
systemctl restart sshd4. Update your firewall. If you’re using a firewall like ufw or firewalld, allow the new port and close the old one:
- For ufw:
sudo ufw allow 1122/tcp
sudo ufw deny 22/tcp
sudo ufw reload- For firewalld:
sudo firewall-cmd --add-port=1122/tcp --permanent
sudo firewall-cmd --remove-port=22/tcp --permanent
sudo firewall-cmd --reload5. Test the new port: Before logging out, open a new terminal and connect using the new port:
ssh -p 1122 user@your-server-ipIf it works, you’re good to go.
Step 2: Allowing only specific users to log in via SSH
To limit who can access your server, you can restrict SSH logins to a whitelist of users. This is especially useful on multi-user systems.
1. Edit the sshd_config:
sudo nano /etc/ssh/sshd_config2. Add the AllowUsers directive: At the bottom of the file, specify the users you want to allow (e.g., alice and bob):
AllowUsers alice bobReplace alice bob with your desired usernames. Separate multiple users with spaces.
3. Save and restart SSH:
systemctl daemon-reload
systemctl restart sshdStep 3: Securing Root Login with SSH Keys
Root login via password is a major security risk. Disabling password-based root login and requiring an SSH key adds a strong layer of protection.
To learn how to do this, please see our article on How to Set Up SSH Key Authentication in Linux.
A Standard, Secure sshd_config
Here’s a sample sshd_config incorporating everything we’ve covered, plus a few extra security tweaks:
# Listen on custom port
Port 1122
# Restrict access to specific users
AllowUsers alice bob
# Enforce key-based authentication
PermitRootLogin prohibit-password
PasswordAuthentication no
PubkeyAuthentication yes
# Disable unused authentication methods
ChallengeResponseAuthentication no
UsePAM no
# Limit login attempts
MaxAuthTries 3
# Set a timeout for idle sessions
ClientAliveInterval 300
ClientAliveCountMax 0
# Use strong ciphers and algorithms
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,diffie-hellman-group-exchange-sha256To use this:
- Back up your existing config: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Replace the contents of /etc/ssh/sshd_config with the above.
- Adjust Port and AllowUsers to match your needs.
- Restart SSH: sudo systemctl daemon-reload && systemctl restart sshd
- Test thoroughly before closing your session!
Please note:
PasswordAuthentication no disables password login and forces all users to use SSH keys. If your requirement is that only root needs to use a key, change this to yes. Normal users will then use password login.
Power Your Projects with vpszen.com VPS Solutions
Looking for reliable hosting to run your Linux servers and host your next big project? VpsZen.com has you covered with top-tier VPS options tailored to your needs.
Choose from ARM64 VPS Servers for energy-efficient performance, or Root VPS Servers for virtual servers with dedicated resources.