How to protect SSH server

How to secure ssh server from attacks ?

SSH (Secure Shell): 

Secure the ssh server from brute force attack and other vulnerabilities. The checklist for securing the ssh server can mitigate the risk of getting hacked.

The periodical upgrade of ssh package from the repository is always recommended.

With our guide we are going to show you the best practice to secure ssh server.

Secure the ssh service using the below checklist.

1. Deny root login

2. Change the default port for SSH

3. SSH service filter using TCPWRAPPER

4. Restrict the ssh login to certain users using a directive “AllowUsers”

5. Display SSH banner

6. Clean up authorized keys from /root/.ssh/authorized_keys or /home/user/.ssh/authorized_keys


1. Deny the root login

Deny the  root log in via SSH by editing the sshd_config file. Set the value of “PermitRootLogin no”

#vi /etc/ssh/sshd_config

PermitRootLogin no

Save & Exit!

2. Change the default ssh port

Change the default ssh port from 22 to 4 digits like 8929, make sure the port  not in use.
The default port for ssh service is 22, the default port is known  so modifying from default to customized,  can mitigate the risk of being a victim of brute force attack.

#vi /etc/ssh/sshd_config

Port 8929

Save & Exit!

Restart the sshd service changes to effect.

#service sshd restart

3. Enable TCPWRAPPER(firewall)

Enable TCPWRAPPER(firewall) service to deny the  ssh login from client machines, allow only from authorized IP’s or network.
There are two files maintain to run tcpwrapper service hosts.allow and hosts.deny and the service controlled by xinetd daemon.

Rules written in the hosts.allow overwrites the rules written in hosts.deny

If you don’t have installed it then install xinetd package from the repository

#yum install xinetd

Deny all the hosts accessing from clients.

#vi /etc/hosts.deny

sshd :ALL

Save & Exit!

Allow to known IP or network by adding the allow entry in /etc/hosts.allow

#vi /etc/hosts.allow

sshd :

Save & Exit!

Restart the xinetd service changes to effect.

#service xinetd restart


192.168. : any host which begins with 192.168. are allowd to connect from
192.168. EXCEPT : this will allow all except

4. Restrict the ssh Log in to certain users

Restrict the ssh log in to certain users using a directive “AllowUsers”

Add following entry to allow ssh log in to appsadmin & sysadmin

#vi /etc/ssh/sshd_config

AllowUsers appsadmin sysadmin

Save & Exit!

5. Display SSH banner.

The banner used for display warning at console to unauthorized users.
There are two types of banners you can use to set the warning message:

Before login banner :sshd-banner
After Login banner :motd


Before login :sshd-banner

Create an SSH login banner file under the /etc/ssh/, in our guide, we are creating a file “sshd-banner”.

#vi /etc/ssh/sshd-banner

Warning : do not attempt to log in if you’re not authorized.

Save & Exit!
Edit the banner path setting in sshd.conf, un-comment and show the absolute path of the file.

#vi /etc/sshd/sshd.conf

Banner /etc/ssh/sshd-banner

Save & Exit!

After Login :motd

#vi /etc/motd

Warning : your activities are being monitored.

Save & Exit!

6. Clean up authorized keys from /root/.ssh/authorized_keys 

Password less log in purpose there might be an entry in authorized_keys under the users’s home folder/.ssh/

Remove all the entries from the authorized_keys

#vi /root/.ssh/authorized_keys

Remove all the entries.

Save & Exit!



Leave a Reply

Your email address will not be published. Required fields are marked *

40 − = 39