How to Secure SSH

How to Secure SSH

Overview

This document lists several helpful changes that you can make to your server to improve SSH security. It is essential that you restrict and properly configure Secure Shell (SSH) access in order to secure your server.

Be careful with whom you grant SSH access

If a user does not need SSH access, do not grant them access. To remove a user’s SSH access, use WHM’s Manage Shell Access interface (Home >> Account Functions >> Manage Shell Access).

If a user needs SSH access but does not need access to files outside of their home directory, allow them to use a jailed shell environment.

Set an SSH Legal Message

The system can display an SSH legal message (message of the day, or motd) whenever someone logs in to your server through SSH. The /etc/motd file contains this message.

To set a legal message, use your preferred text editor to edit the file and save your changes. For example, one of our technical analysts uses the following message:

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

Use SSH Keys

You can disable password authentication for SSH on your server, which will force users to log in through SSH with keys instead of passwords.

To do this, perform the following:

  1. Use WHM’s Manage root’s SSH Keys interface (Home >> Security Center >> Manage root’s SSH Keys) to generate and download a key for the root user.
  2. Use WHM’s SSH Password Authorization Tweak interface (Home >> Security Center >> SSH Password Authorization Tweak) to disable password authentication for SSH.

Strengthen SSH security

The /etc/ssh/sshd_config file contains your server’s configuration settings for SSH.

We recommend that you change the following settings:

  • Port — The port number on which the sshd daemon listens for connections. The highest acceptable value is 49151.

    Tip:

    We recommend that you use a port of 11023 that is not currently in use by another service. Ports 11023 are known as privileged ports, because only root can bind to them. Ports 1024 and above are known as unprivileged ports and anyone can use them.

  • Protocol — The SSH protocol that your server uses. We recommend that you change this value to 2.
  • ListenAddress — The sshd daemon listens for connections on this IP address. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom DNS entry specifically for the new SSH IP address. To do so, you will need to create the zone file (for example, ssh.example.com) and add an A entry to the zone file for the new nameserver entry.
  • PermitRootLogin — This option specifies whether you wish to allow people to directly log in to SSH as the root user. We strongly recommend that you set this value to no.

Edit the sshd_config file

To make changes to the /etc/ssh/sshd_config file in order to tighten your server’s security, perform the following steps:

Note:

For CentOS 7, CloudLinux 7, and RHEL 7 firewall management, we recommend you manage your server’s firewall with the /etc/firewalld/services/cpanel.xml file.

  1. Log in to your server as the root user via SSH.
    • If your server does not allow direct root logins to SSH, log in as your wheel user and use the su command to become the root user. For example:
      user@example.com [~]# su -
      Password: 
      root@host [~]#
  2. Back up the sshd_config file with the following command:
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak`date +%F`
  3. Open the /etc/ssh/sshd_config file with a text editor.
  4. To change a parameter in the sshd_config file, uncomment the line that contains the parameter. To do this, remove the number-sign character (#) and change the value for the line.

    Important:

     If you change the default SSH port, you must update your server’s firewall configuration to allow the new port.

    • For example, the default SSH port appears in a line similar to the following example:
      #Port 22

      To change the SSH port to 456, edit that line to resemble the following example:

      Port 456

After you configure SSH, run the /scripts/restart_sshd script or the service sshd restart command to restart the SSH daemon.

After you restart SSH, log out of your server and log in again as the user, IP address, and port number that you specified in the sshd_config file.

Warning:

If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where example.com represents the server’s hostname or main IP address):

https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart

This script attempt to will temporarily configure an additional SSH configuration file for port 22, which will allow you to access, edit, and fix the original SSH configuration file. If port 22 is already in use, then the script will configure an additional SSH configuration file for port 23.

Was this article helpful?

Related Articles

Leave A Comment?