OpenSSH Security Guide

Published on by Fahim

OpenSSH Security Guide:

one you have install an openSSH server, you will need to configure it by editing the sshd_config file in the /etc/ssh directory. 

First, make a back of your sshd_config file by copying it to your home directory, or by making a read only copy in home dir by doing:

sudo cp /etc/ssh/sshd_config /home/sshd_config.factory-defaults

sudo chmod a-w /home/sshd_config.factory-defaults

Creating a read-only backup in /home dir mean we have to find fresh-new configuration when we need it.

So Then we have few steps include with settings.

Step#1 Disable Root Logins:

SSH server settings are stored in the /etc/ssh/sshd_config file.To disable root logins, find this entry sshd_config.

#Prevent roo logins:

PermitRootLogin no

and restart the ssh service.

sudo /etc/init.d/ssh restart

Step#2 Limit User Logins

SSH logins can be limited to only certain users who need remote access. Add an AllowUsers line followed by space separated list of usernames to /etc/ssh/sshd_config.For example:

AllowUsers fahim

and restart the sshd service.

Step#3 Use Protocol 2

SSH has two protocols it may use, protocol 1 and protocol 2, the older protocol 1 is less secure and should be disabled unless you know that you specifically require it. Look at /etc/ssh/sshd_config file.

#Protocol 2,1

Protocol 2

and restart the sshd services.

Step#4 Use,a non-standard port

By default, ssh listen for incoming connection on port 22, an effective method is to run ssh on a non-standard port.Any unused port will do, although port 1024 is preferable.

TO make changes, add a link like this to our config file.

#Run ssh on a non-standard port:

Port 2222

then resatart the sshd service.

Because ssh is no longer listening for connection on standard port, we will tell to our client what port to connect on. Using the ssh client from the command line, we may specify the port using the -p switch.

ssh -p 2222 <ServerUser>@

Step#5 Log Information.

By default, the OpenSSH server logs to the AUTH facility of syslog, at the Info level.if you want to record such as failed login attempts- you should logging level to VERBOSE.

To increase the level, find the following line in your sshd_config.

LogLevel INFO

and changes it to this


So the details of ssh login attempts will be saved in your /var/log/auth.log file


To be informed of the latest articles, subscribe:

Comment on this post

best dissertation writing services 02/25/2015 22:41

Virtual education is a step towards a healthier and a literate society. It tends to initiate education procedures in every street, every level and for every kind of audience so can the level of literacy can be increases as fast as possible.