How to Secure SSH?

SSH stands for Secure Shell. The term “SSH” refers to either the SSH protocol or the software tools that enable system administrators and users to establish secure connections to distant systems through that protocol. It is an encrypted protocol for establishing a secure connection over an unsecured network, such as the internet. An SSH server will listen for incoming connections on tcp port 22 by default. Hackers and malicious bots target this port because it is a standardized, well-known port.

In this article, I will introduce you to some important security practices which will help you to increase the level of security in your SSH server.

Use SSH Keys for Authentication

To add an SSH key pair, first, create a hidden folder to your user account home directory on your cloud server with the following command.

mkdir -p ~/.ssh
chmod 700 ~/.ssh

However, because the keys are kept in your user’s home directory, each user who wants to utilize SSH keys for authentication must repeat these procedures on their own profile.

1. Generate A Key Pair

$ ssh-keygen -t ed25519 -C ""

The choice is between RSA 2048/4096 and Ed25519 and the trade-off is between performance and compatibility. RSA is universally supported among SSH clients while EdDSA performs much faster and provides the same level of security with significantly smaller keys.

2. Copy the pair to server

$ ssh-copy-id -i ~/.ssh/ test@A.B.C.D

When asked, type your SSH server user account password. You may now use the key pair to access to your server.


Secure sshd Config

Use your favourite text editor and change the configuration under the file. We change all the configurations in the one file i.e /etc/ssh/sshd_config

Change SSH Port

The standard port for SSH connections is 22. Using a different port gives a layer of protection to your system through obscurity.

Port 2222

Disable Password Authentication

After you have copied your public key to the server, your next step is to disable the password authentication for security.

PasswordAuthentication no

Reject Connection Requests With No Password

The default settings for SSH to accept connection requests is without passwords. We can change that and ensure all the connections are authenticated in the same file

PermitEmptyPasswords no

Enable New Protocol

Version 2 is not backward compatible with version 1 because to the numerous modifications and enhancements, particularly in the areas of encryption and security. You can specify that your computer will only accept connections from version 2 clients to block connections from version 1 clients.

Protocol 2

Disable Root Login

The first thing to configure to secure the SSH Server is by disabling the root login to the server. Root is the superuser account in Linux and Unix which needs to be secured and has the highest access rights on the system.

PermitRootLogin no

Disable X11 Forwarding

Over an SSH session, X11 forwarding allows remote users to execute graphical apps from your server. A GUI interface can help a hackers or malicious user accomplish their nefarious goals.

X11Forwarding no

Disable Any Types of Forwarding

  • AllowTcpForwarding Specifies whether TCP forwarding is permitted.
  • GatewayPorts prevents connecting to forwarded ports from outside the server computer.
  • PermitTunnel is for tunnel devices, which are like virtual network interfaces. They can be used e.g. for VPN connections via SSH, so all traffic to the target network is routed via the tunnel.
  • AllowStreamLocalForwarding allows Unix domain sockets to be forwarded. We need to disable all the options in order to secure the server.
AllowTcpForwarding no
GatewayPorts no
PermitTunnel no
AllowStreamLocalForwarding no

This is how my current configurations stands.

Protocols and Forwardings

Authentication Modes

Under authentication, change the modes of authentication of Maximum authentication Tries and Maximum Sessions to the following.

MaxAuthTries 2
MaxSessions 3

Restart sshd server

Once all the configuration changes has taken place, save your changes and restart the ssh daemon.

$ sudo systemctl restart sshd



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store