Call: (480) 382-8464

SSH Security Checklist

SSH Security Checklist

All of the SSH Security Tips that are listed here are done by editing /etc/ssh/sshd_config as su:

Change the port different from default of port 22 to something (29011 in this example). Default scanners usually only scan ports up to 1024, so you will appear not be running SSH unless they specifically scan high ports.


Port 29011

Allow only certain networks or IP addresses to connect by editing /etc/hosts.deny and /etc/hosts.allow (TCP wrappers)

This is in /etc/hosts.deny


sshd: ALL

This is in /etc/hosts.allow, allowing 1.2.3.* and 1.2.4.5 only


sshd: 1.2.3 1.2.4.5

Everyone else besides the networks defined above will get:


ssh_exchange_identification: Connection closed by remote host

In addition to tcp wrappers, use iptables to allow only certain networks, from the shell:


# iptables -A INPUT -p tcp -m state --state NEW --source 1.2.4.5 --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j DROP

Force SSH to use protocol 2 only. Protocol 2 is more secure and more immune to man in the middle attacks:


Protocol 2

Do not allow Root Login. These days this isn’t as important, but the idea is that a brute force attack would have to break into the user level, then into the root level. Most security guides recommend that you do not allow root login:


PermitRootLogin no

Allow only certain users to login. The idea is to limit the user to have no rights, and own no files, so if they get past this barricade, they can’t do as much damage. You would su from here.


AllowUsers matthew mark luke james

Or, you can allow all users and disallow only certain accounts


DenyUsers joethehacker spongebob

Create a no tresspassing sign. Your legal stance is much stronger if you tell them they are tresspassing (I know, stupid, but that’s the law – you have to TELL them they are breaking in ….)


# edit the issue.net, then
Banner /etc/issue.net

Use iptables to limit brute force attacks to 1 wrong login attempt per minute – but beware you don’t setup a Denial of Service vector:


# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

Uninstall sshd if you do not want logins at all:


apt-get remove openssh-server

Configure auto log out after a certain period of time (10 minutes in this example)


ClientAliveInterval 600
ClientAliveCountMax 0

Use strong passwords. Example:

  • 10 characters long
  • Must contain at least 1 upper case character
  • Must contain at least 1 number
  • Must contain at least 1 lowercase character
  • Must contain at least 1 symbol
  • Must NOT be a dictionary word, even if Chang3d
  • Pattern must not repeat (Aa1!Aa1!)
  • Password should change monthly
  • Password should not be written down
  • Password should differ from at least last 5 passwords

Disable empty passwords. Either by willful negligence, or accidental laziness, people will choose not to have passwords sometimes. This is not great SSH security as you can imagine. Fix it:


PermitEmptyPasswords no

Use a script that stops brute force attacks automatically (2 options shown here):

  • http://fail2ban.org
  • apt-get install denyhosts

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Main Offers/Services

Hosting and website related services offered by Digital Crunch:



Managed VPS Hosting

Server Updates, Module/Software Installs, Firewall, Security, Hosting Management, Wordpress - let us manage it for you

Hosted Email

Setup and Maintain Business Class, Secure Email Hosting including spam protection and 25GB of storage space

Linux Consulting

Server Updates, Module/Software Installs, Firewall, Security, Hosting, Wordpress and Apps, anything related to Linux

Email Marketing Services

We broadcast your content to your list, capture leads for you, follow up on schedules, make more sales for you

Website Maintenance

Content updates, menu changes, graphics changes, adding content, getting links, building traffic, building sales funnels

Hosting Tutorials

Tutorials we've written for other customers that like to get their hands dirty and learn about hosting