OpenSSH provides default terminal access on Linux operating system. You can secure OpenSSH server terminal by changing default configuration parameters.
OpenSSH default configuration file located at /etc/ssh/sshd_config, which has all the parameter configuration, you need to configure this file as per your need and secure the SSH terminal access.
Here, we will learn five configurations of OpenSSH, which will help you to secure the OpenSSH terminal.
- Change default SSH Port
- Disable root user access
- Disable Password Authentication
- Allow access to specific user or group
- Restrict SSH access on Network Interface
Change default SSH Port
By default, SSH port is 22 configured in the file “/etc/ssh/sshd_config” file. The first step to secure your ssh server is to change the port. As 22 port is known by the world to use an SSH server, you can configure any unknow port to access SSH server.
Open the configuration file using the following command:
# vim /etc/ssh/sshd_config
And update the value of port like below:
Now you need to specify the port number while access the ssh server like below command:
# ssh –p 55555 [email protected]
Disable root user access
By default, the root user is allowed to log in on the SSH server using the remote system. As the root is known as default admin account on the Linux system, we should disable the login for the root account. Other non-root accounts can use the “su –“ command to become as root.
To disable the root user for login needs to set the parameter “PermintRootLogin no” in the configuration file:
Disable Password Authentication
Disable Password Authentication is also the best way to secure the SSH server. Hackers are performing several passwords attack to crack the password, but suppose your system is not accepting the password.
Most of the case admin block the password authentication and allowing key authentication where system use private/public key to authenticate the user.
To disable password authentication change parameter like below:
Allow access to specific user or group
By default SSH server allowed all users and groups to access the remote shell. We can restrict it by allowing specific user and group.
To allow specific use, you can use the parameter “AllowUsers” with username, as shown below:
AllowUsers satish aakash
To allow a specific group, you can use the parameter “AllowGroups” with the group name, as shown below:
AllowGroups admin webadmin
Similarly, we can also deny a specific user or group to use the SSH server.
To deny specific user, you can use parameter “DenyUsers” with username, as shown below:
DenyUsers jack jons
To deny specific Group, you can use parameter “DenyGroups” with a group name, as shown below:
DenyGroups john dev
Restrict SSH access on Network Interface
It is the most useful configuration for any server. Generally, we are running a server on two different network interface where one is use to Internet access, and another one is running on a private network.
It is always good to configure SSH access on a private interface, to configure it use parameter “ListenAddress” on configuration file, as shown below:
ListenAddress 192.168.5.10 ListenAddress 127.0.0.1
After applying all these configurations, you need to restart the SSH server to use these configurations.
You can restart the SSH server by using any from below command:
# /etc/init.d/sshd restart # service sshd restart # systemctl restart sshd.service