Most of times, we used to access Linux machines through SSH. So we have to sure SSH service should be secure enough so that using it private and public should be safe.

There can various ways to secure SSH server, Here we have trying to mention some important points that are used widely

1. Disable Root Login

Root login should disable on SSH. For this we have to edit ssh configuration file

This way SSH itself prevent root login and as we all know root have all system permission, so this way hackers will keep away that want to connect through root.

SSH configuration file is /etc/ssh/sshd_config, below derivate should mentioned in file

PermitRootLogin no



After editing ssh configuration file, we need to restart SSHD service.

#service sshd restart

In RHEL7 or CentOS 7

# systemctl restart sshd.service

In Ubutnu

# service ssh restart

ssh stop/waiting

ssh start/running, process 2588

2. Change SSH default Port

Change of standard Port. As we all know usually every daemon has its own port, like ssh have 22 port on which it offer connection to client. We should change that port to some non-standard port. So that whenever someone try to connect 22 port for ssh, get “connection refused” message from server. Only know persons would able to connect on Server

For this, we have to edit SSH configuration file of /etc/ssh/sshd_config. Below derivative need to change.

Port 1548



After editing file, we have to restart ssh service to get in effect of same.

We can check, ssh port through netstat

#netstat –ntlp

tcp 0 0 0.0.0.0:1548 0.0.0.0:* LISTEN 2617/sshd



3. Allow Deny specific Users and Groups

Allow only few users or groups for SSH login. There is one feature in SSH configuration through which we can insure that only few specific users or group members can login through SSH. This configuration needs to be set in SSH configuration file.

AllowUsers User-name1 user-name2

AllowGroups group-name1 group-name2



Deny users, which have shells for login. But need to be login from local or some non-ssh ways (Local, VNC etc).

DenyUsers User-name1 user-name2

DenyGroups group-name1 group-name2



Restart SSH service after editing ssh configuration file.

4. Bind of Specific IP Address

This method used on those systems, where we have multiple Network interfaces, which assigned for different IP address. This usually used by various purposes like HTTP, MySQL, SSH. So what we can configure SSH, so that only one IP address is assigned for SSH connection and others IP address are secure and use by particular services only. For that we have use one derivate in ssh configuration file /etc/ssh/sshd_config

ListenAddress 192.168.1.11



Restart SSH service after editing ssh configuration file. In this SSH will only listen on one specific IP address assigned on one of Network Interface installed system.

5. Only SSH keys for login, No password authentication

Password authentication is not good, you should RSA or DSA keys for SSH login. For this first you should need

Create your own RSA or DSA keys with some passphase and copy public key file on server with name authorized_keys.

So for creating key, we have to use ssh-keygen command. This command will generate keys by-default in ~/.ssh directory. Below image will show it how to do.



So as per this image, we have two files one (id_rsa) for you system from where you start SSH connection another file (id_rsa.pub) is for Server which you want to connect through SSH. This id_rsa.pub file should copy in ~/.ssh/authorized_keys

After This you can set SSH PasswordAuthentcation setting to no

to disable password authentication. Below mentioned derivates used for same

PasswordAuthentication no

6. Disconnect SSH connection, in case of no activity.

SSH should disconnect automatically in case authenticated person is ideal for some time. This prevent machine from shoulder suffers, who can use in case authenticate person is not available on system. For this we have two derivates in ssh configuration file /etc/ssh/sshd_config. We have t restart ssh service after editing this file.

ClientAliveInterval 300

ClientAliveCountMax 0



These values are in seconds. So you can use them as per environment requirement.

ClientAliveCountMax – This is total number of checkalive messages sent by the ssh server towards client that connect without any response. Default is 3.

ClientAliveInterval – This is timeout seconds. After mentioned number of seconds of ideal connection, ssh server will ask to the client for responses and in case there is no response that result to terminating connections.

7. Disconnect after wrong password

When we try to connect ssh server, it ask for password. By-default it ask six times for password, But it should not asked for this much time. If a person is genuine authenticator, then he/she should authenticate at very first time, in case they can connect it again. For this SSH configuration file have one derivate MaxAuthTries. We have to restart SSH service after adding this derivative.

MaxAuthTries 1



8. Disable Spoofable TCPKeepAlive

Disable TCPKeepAlive message, these message uses unencrypted channel and spoofable. We should ClientAliveInterval, which uses encypted channel that are unspoofable