Hardening SSH:

SSH by default is secure. Even so, there are a few configuration changes we can make to make it even more secure. Open the /etc/ssh/sshd_config file with your favorite editor, and read on...

First, we don't want to allow root logins. We want to force the user (or ourselves) to login, and then "su" to root if needed.

  Make a copy of the following line (uncomment it) and change the yes to a no.

SSH2 is more secure than SSH1. By default SSH2 will allow SSH1 logins. If all of your hosts support SSH2 there is no need to allow SSH1 communications.

  Make a copy of the following line (uncomment it) and remove the 1.

If you are really paranoid, you can change the port number that SSH communications occur on. Change it to anything other than 22 (that's the port it runs on by default). Before you make any changes here, you'll need to look at the /etc/services file and see which services are defined to run on which port. Find an open port, and then also check on dshield.org to make sure that you are not changing SSH to run on a port that some other well known service or trojan runs on.

Change the port that SSH listens for connections on:

  You are now done editing the /etc/ssh/sshd_config file (save your changes, and quit your editor).

  Note: Do not make any changes to the /etc/services file. This way incoming connections still get directed to port 22 (which will fail - see below).

To initialize the changes, restart sshd:

To log in via SSH on a different port than the default, use the -p option:

To test your new settings, try:

Example syntax' for logging into another machine as a different user: (First line is what you type, second line is the server's response; to which you enter the user's password to gain access)

Other: These are the basic steps to make SSH more secure. They should suffice for the average home user. Although, to really make your machine(s) more secure, generating an RSA public/private key pair is really the way to go. The private key stays on the Server (the machine you are connecting to). And, the public key goes on the Client (the machine you are connecting from). Only a Client machine that contains a public key in the $HOME/.ssh/authorized_keys file is allowed to connect to the Server. Use the "ssh-keygen" command to create the RSA key pair. Read the SSH man pages if you are not sure how to do this.

Created by: linuxles
Created: Fri Oct 01 2004
Last modified: Tue Jun 19 2007