TOP

Simple Ways to Secure the SSH Port on your VPS

One of the most important things to do once your VPS has been created is to secure the standard SSH port.

Since SSH is the main method to communicate with any VPS it is the first target for any non-authorized person trying to gain access.

There are a few different ways to add more security to this vulnerable port. You can choose to do one of the following or all of the following depending on your needs.

Change the common port 22

This is the easiest and quickest starting point. Since the default port is 22, most hackers will scan to see if this port is open to start an attack. Changing it to a non-standard port will make it harder to identify where the SSH service is running.

Steps: Login to your VPS through SSH and type the following as root:

vi /etc/ssh/sshd_config

Scroll until you see:

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Press “i” to enter insert mode in vi and then move to the line that says #port 22. Remove the “#” and specify a different port (example: 22122, 3355 etc…) Make it random but within the acceptible tcp range.

Once this is done, press “escape” then colon (:) and then “x”. Hit enter and this will save your changes.

At the command prompt type (On CentOS):

service sshd restart

On other OS’s you may need to type: /etc/init.d/sshd restart

At this point you may loose connectivity because you changed the port! If you didn’t you will need to exit the current session and reconnect to your server using the new port that you specified.

(Optional) at this point, if your VPS has more than one IP address assigned to it, you can specify only one by changing the “ListenAddress 0.0.0.0” to one of your IP addresses. This way, you can only access SSH through the one interface.

Disable root login through SSH

Using the same methods in step 1 edit /etc/ssh/sshd_config and scroll until you see

#PermitRootLogin yes

Remove the “#” symbol and change the “yes” to “no”, save the file and restart sshd service.

Next time you try to login as root it will deny you.

Note: SSH will still allow you to try and login as root if you specify “root” as the username. It will reject the login even though you specify the right password.

IP Restriction

This step may not appeal to the users who are on Dynamic IP addresses. But it is a very effective way to secure the SSH port even more.

IP restriction will reject a user trying to login from a non specified source IP address. This will allow you to control which hosts will have access and which do not.

If you have many users using your VPS who require SSH access, this is not a good idea as you will block their traffic when implementing this method.

In order to specify the incoming IP address you can use the “/etc/hosts.allow” and “/etc/hosts.deny” files.

Edit “/etc/hosts.deny” and add a line with the following:

sshd:*

This will deny all traffic. Once this is completed you will allow your IP address.

Edit “/etc/hosts.allow” and add a line with your ip address:

sshd: <your ip> (Example: sshd:192.168.1.1)

Note: The allow file will get processed first. So if an ip address matches in the allow file first, traffic will be allowed even if it is specified in the deny file.

Once this is completed the only host that will be able to SSH to your VPS will be the one specified in your hosts.allow file.

5 comments. Leave a Reply

  1. You forgot cert-only authorisation.

  2. t

    I’d highly recommend using DenyHosts as well. Cuts off all access after x many failed login attempts.

  3. AllowUsers is also a good config option to use in your sshd_config

Leave a Reply

Your email is never published nor shared.

You may use these HTML tags and attributes:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>