How to Secure OpenSSH Server with simple configuration

OpenSSH provides default terminal access on Linux operating system. You can secure OpenSSH server terminal by changing default configuration parameters.

OpenSSH default configuration file located at /etc/ssh/sshd_config, which has all the parameter configuration, you need to configure this file as per your need and secure the SSH terminal access.

Here, we will learn five configurations of OpenSSH, which will help you to secure the OpenSSH terminal.

  1. Change default SSH Port
  2. Disable root user access
  3. Disable Password Authentication
  4. Allow access to specific user or group
  5. Restrict SSH access on Network Interface

Change default SSH Port

By default, SSH port is 22 configured in the file “/etc/ssh/sshd_config” file. The first step to secure your ssh server is to change the port. As 22 port is known by the world to use an SSH server, you can configure any unknow port to access SSH server.

Open the configuration file using the following command:

# vim /etc/ssh/sshd_config

And update the value of port like below:

port 55555

Now you need to specify the port number while access the ssh server like below command:

# ssh –p 55555 root@192.168.5.10

Disable root user access

By default, the root user is allowed to log in on the SSH server using the remote system. As the root is known as default admin account on the Linux system, we should disable the login for the root account. Other non-root accounts can use the “su –“ command to become as root.

To disable the root user for login needs to set the parameter “PermintRootLogin no” in the configuration file:

PermitRootLogin no

Disable Password Authentication

Disable Password Authentication is also the best way to secure the SSH server. Hackers are performing several passwords attack to crack the password, but suppose your system is not accepting the password.

Most of the case admin block the password authentication and allowing key authentication where system use private/public key to authenticate the user.

To disable password authentication change parameter like below:

PasswordAuthentication no

Allow access to specific user or group

By default SSH server allowed all users and groups to access the remote shell. We can restrict it by allowing specific user and group.

To allow specific use, you can use the parameter “AllowUsers” with username, as shown below:

AllowUsers satish aakash

To allow a specific group, you can use the parameter “AllowGroups” with the group name, as shown below:

AllowGroups admin webadmin

Similarly, we can also deny a specific user or group to use the SSH server.

To deny specific user, you can use parameter “DenyUsers” with username, as shown below:

DenyUsers jack jons

To deny specific Group, you can use parameter “DenyGroups” with a group name, as shown below:

DenyGroups john dev

Restrict SSH access on Network Interface

It is the most useful configuration for any server. Generally, we are running a server on two different network interface where one is use to Internet access, and another one is running on a private network.

It is always good to configure SSH access on a private interface, to configure it use parameter “ListenAddress” on configuration file, as shown below:

ListenAddress 192.168.5.10
ListenAddress 127.0.0.1

After applying all these configurations, you need to restart the SSH server to use these configurations.

You can restart the SSH server by using any from below command:

# /etc/init.d/sshd restart
# service sshd restart
# systemctl restart sshd.service

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles