{"id":573,"date":"2010-03-19T09:03:00","date_gmt":"2010-03-19T13:03:00","guid":{"rendered":"http:\/\/linuxhostingsupport.net\/blog\/?p=573"},"modified":"2013-03-20T08:42:49","modified_gmt":"2013-03-20T12:42:49","slug":"how-to-secure-the-sshd-service","status":"publish","type":"post","link":"https:\/\/linuxhostingsupport.net\/blog\/how-to-secure-the-sshd-service","title":{"rendered":"How to secure the SSHD service?"},"content":{"rendered":"<p>SSH service can be secured in various ways like <strong>changing the SSH port, changing the ssh protocol,\u00a0 ssh ListenAddress, disable root login with the PermitRootLogin parameter, allowing ssh access to specific users, restricting SSH access to specific IPs<\/strong> etc. These steps will make sure SSH service on your server is secure.<\/p>\n<p>Edit the SSHD configuration and make the changes listed below:<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>vi \/etc\/ssh\/sshd_config<\/strong><\/span><\/p><\/blockquote>\n<p><strong>1)<\/strong> Set the default SSH port 22 to a higher value, by changing the &#8216;Port&#8217; directive<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>Port 2233<\/strong><\/span><\/p><\/blockquote>\n<p><strong>2) <\/strong>To make SSH work on a secure protocol, set the &#8216;Protocol&#8217; directive as<\/p>\n<blockquote><p><strong><span style=\"color: #0000ff;\">Protocol 2<\/span><\/strong><\/p><\/blockquote>\n<p><strong>3) <\/strong>Bind SSHD service to a specific IP of the server, which you can achieve by replacing &#8216;#ListenAddress&#8217; directive to<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>ListenAddress xx.xx.xx.xx<\/strong><\/span><\/p><\/blockquote>\n<p>where, xx.xx.xx.xx is the additional IP of the server and the only one which will allow you to SSH into the server.<\/p>\n<p><strong>4) <\/strong>To disable root access, set &#8216;PermitRootLogin&#8217; directive to &#8216;no&#8217;<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>PermitRootLogin no<\/strong><\/span><\/p><\/blockquote>\n<p>Make sure you add an alternate SSH user on the server who have privileges to gain root access before disabling this option.<\/p>\n<p><strong>5)<\/strong> To allow SSH access to specific users, add the &#8220;AllowUsers&#8221; directive at the end of the configuration<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>AllowUsers user1 user2<\/strong><\/span><\/p><\/blockquote>\n<p>This will allow SSH access to users user1 and user2. You need to allow SSH access to the user who is allowed to gain root access incase root access is disabled.<\/p>\n<p>Save the file and restart the sshd service<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>service sshd restart<\/strong><\/span><\/p><\/blockquote>\n<p><strong>6)<\/strong> Using the <strong>TCP wrappers i.e. hosts.allow and hosts.deny<\/strong>, you can restrict SSH access to specific IPs i.e. edit \/etc\/hosts.allow and add the following<\/p>\n<blockquote><p><span style=\"color: #0000ff;\"><strong>sshd : yourlocalip: allow<br \/>\nsshd : all : deny<\/strong><\/span><\/p><\/blockquote>\n<p><strong>&#8220;yourlocalip&#8221;<\/strong> is the one assigned by your ISP. It will restrict SSH access to your local IP only.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SSH service can be secured in various ways like changing the SSH port, changing the ssh protocol,\u00a0 ssh ListenAddress, disable root login with the PermitRootLogin parameter, allowing ssh access to specific users, restricting SSH access to specific IPs etc. These steps will make sure SSH service on your server is secure.<br \/>\nEdit the SSHD configuration and make the changes listed below:<br \/>\nvi \/etc\/ssh\/sshd_config<br \/>\n1) Set the default SSH port 22 to a higher value, by changing the &#8216;Port&#8217; directive<br \/>\nPort 2233<br \/>\n2) To make SSH work on a secure protocol, set the &#8216;Protocol&#8217; [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[760,762,1356,755,1357,761,34,757],"_links":{"self":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/573"}],"collection":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/comments?post=573"}],"version-history":[{"count":9,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/573\/revisions"}],"predecessor-version":[{"id":2215,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/573\/revisions\/2215"}],"wp:attachment":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/media?parent=573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/categories?post=573"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/tags?post=573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}