Essential Linux Server Hardening: Disable Root SSH, Change Port, and More

Hackers often rely on brute‑force scanning to find unprotected hosts, install backdoors, and sell access, so basic security measures can greatly reduce the risk.

Disable root remote login

Root is the most attractive target; prohibit SSH login for root by editing /etc/ssh/sshd_config and adding: PermitRootLogin no Create a regular admin account and add it to the sudoers group (typically %admin).

sudo adduser example_user</code>
<code>sudo usermod -a -G admin example_user

Change the default SSH port

The default port 22 is a common scan target. Edit /etc/ssh/sshd_config and set a non‑standard port (e.g., 8822):

Port 8822  # default 22

Use SCP instead of FTP

FTP lacks security; using encrypted SCP leverages the existing SSH service, requiring no extra server configuration—just adjust account permissions. Windows users can connect with WinSCP ( http://winscp.net ).

Install denyhosts

Denyhosts automatically parses security logs and blocks suspicious brute‑force attempts. Debian users can install it with: sudo apt-get install denyhosts Official site: http://denyhosts.sourceforge.net/

Control directory and file permissions, use groups wisely

Instead of loosening file permissions for services like Munin, add the service user to the appropriate group (e.g., www-data).

sudo usermod -a -G www-data munin

Use dedicated accounts for system programs

Avoid running services as root; create separate accounts and switch users with sudo -u when needed (e.g., for MySQL, Munin).

Download PuTTY from the official site

PuTTY is a popular Windows SSH client; always obtain it from the official website and verify its integrity: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Afterword

These steps should help improve the security of your website.

Additional note

Some Chinese versions of PuTTY and WinSCP were reported to contain backdoors; always download software directly from the official sites and use a reliable search engine like Google.