Hardening OpenSSH: Essential Steps to Secure Your SSH Server

OpenSSH is an implementation of the SSH protocol used for remote login, backup, and file transfer. It guarantees confidentiality and integrity of data between systems, with its greatest advantage being public‑key authentication for server verification.

OpenSSH Default Settings

TCP port – 22

Configuration file – sshd_config (located in /etc/ssh/)

1. Public‑key login

OpenSSH supports many authentication methods; using public‑key authentication is recommended. First, generate a key pair on the local machine:

ssh-keygen -t ed25519 -C "Login to production cluster at xyz corp"

Example for RSA (4096‑bit) with a comment:

ssh-keygen -t rsa -b 4096 -C "AWS key for abc corp clients"

Install the public key on the remote host:

ssh-copy-id user@host

Verify that the key works by connecting without a password.

2. Disable root login

Before disabling root login, ensure a regular user can obtain root privileges via sudo. For Debian/Ubuntu:

sudo adduser vivek

Verify the group membership:

id vivek

For CentOS/RHEL/Fedora, add the user to the wheel group:

sudo usermod -aG wheel vivek

Test sudo access and then add the following to sshd_config to disable root login:

PermitRootLogin no

3. Disable password authentication

Allow only public‑key authentication by adding:

AuthenticationMethods publickey PubkeyAuthentication yes

For older CentOS 6.x/RHEL 6.x, the same PubkeyAuthentication yes directive applies.

4. Restrict SSH access to specific users

Limit SSH login to selected accounts (e.g., root, vivek, jerry) by adding:

AllowUsers vivek jerry

Or deny specific users:

DenyUsers root saroj anjali foo

5. Disable empty passwords

Prevent logins with empty passwords:

PermitEmptyPasswords no

6. Enforce strong passphrases for keys

Use a random password generator (place in ~/.bashrc) to create strong passphrases:

genpasswd(){ local l=$1 [[ -z "$l" ]] && l=20 tr -dc A-Za-z0-9_ </dev/urandom | head -c $l } # Example usage: genpasswd 16

Sample output:

uw8CnDVMwC6vOKgW

7. Configure firewall for port 22

Use iptables, ufw, or pf to restrict access to the SSH port.

Netfilter (iptables) example – allow only from 192.168.1.0/24 and 202.54.1.5/29:

-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT -A INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

UFW example (Debian/Ubuntu) :

sudo ufw allow from 202.54.1.5/29 to any port 22

PF example (*BSD) :

pass in on $ext_if proto tcp from {192.168.1.0/24, 202.54.1.5/29} to ($sshd_server_ip port ssh) flags S/SA keep state

8. Change SSH port and bind IP

Modify sshd_config to bind a non‑standard port and specific IPs:

Port 300 ListenAddress 192.168.1.5 ListenAddress 202.54.1.5

9. Use TCP wrappers (optional)

Add allowed hosts to /etc/hosts.allow:

sshd: 192.168.1.2 172.16.23.12

10. Mitigate brute‑force attacks

Deploy tools such as DenyHosts, Fail2ban, sshguard, security/sshblock, or IPQ BDB filter to block repeated failed login attempts.

11. Rate‑limit inbound connections on port 22 (optional)

Netfilter example to limit 5 new connections per minute:

-A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 5/minute --limit-burst 5 -j ACCEPT

PF example limiting each client to 20 connections, max 15 attempts in 5 seconds:

block in quick from <abusive_ips> to $sshd_server_ip port ssh flags S/SA keep state (max src conn 20, max src conn 15/5, overload <abusive_ips> flush)

12. Port knocking (optional)

Example using iptables to create a multi‑stage knock sequence (ports 3456 → 2345 → 1234):

-N stage1 -A stage1 -m recent --remove --name knock -A stage1 -p tcp --dport 3456 -m recent --set --name knock2 -N stage2 -A stage2 -p tcp --dport 2345 -m recent --set --name heaven -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name knock2 -j ACCEPT

13. Configure idle timeout

Set the following in sshd_config to disconnect idle sessions after 5 minutes:

ClientAliveInterval 300 ClientAliveCountMax 0

14. Display a banner

Specify a banner file to show a warning message before login:

Banner /etc/issue

Example /etc/issue image is shown below:

15. Disable .rhosts files

IgnoreRhosts yes

16. Disable host‑based authentication

HostbasedAuthentication no

17. Keep OpenSSH and the OS patched

Use package managers such as yum, apt-get, or freebsd-update to apply security updates regularly.

18. Chroot OpenSSH users

From OpenSSH 4.8p1/4.9p1 onward, you can lock users to their home directories with the ChrootDirectory directive.

19. Disable the OpenSSH server on workstations

On CentOS/RHEL/Fedora:

sudo yum erase openssh-server

On Debian/Ubuntu:

sudo apt-get remove openssh-server

Restart or reload the firewall after removing SSH rules.

20. Additional tips from Mozilla

For OpenSSH 6.7+ you can enforce stronger ciphers, MACs, key exchange algorithms, and key types. List supported algorithms with:

ssh -Q cipher ssh -Q mac ssh -Q kex ssh -Q key

How to test sshd_config and restart/reload the SSH service

Check configuration syntax:

sudo sshd -t

Run in test mode:

sudo sshd -T

Restart the service (examples for different distributions):

# sudo systemctl start ssh # Debian/Ubuntu # sudo systemctl restart sshd.service # CentOS/RHEL/Fedora # doas /etc/rc.d/sshd restart # OpenBSD # sudo service sshd restart # FreeBSD

Other recommendations

Enable two‑factor authentication (e.g., OATH Toolkit or DuoSecurity).

Use a key‑chain script to manage keys securely.

About the author

The author is the founder of nixCraft, an experienced system administrator and Linux/Unix scripting trainer who has worked with global clients across IT, education, defense, space research, and non‑profit sectors. Follow him on Twitter, Facebook, and Google+.

English: Vivek Gite, Translation: Linux China/shipsw linux.cn/article-9394-1.html