[How To] Securing SSH Connection

[How To] Securing SSH Connection

This how to helps you to create secure connection via ssh between your unix and linux systems. All examples written for RedHat based systems. Also we assume that you already have installed openssh server and running, if not do this steps:

Configuration files

SSH configuration file


Access control tcpwrapper configuration files


denyhosts configuration file


Install open-ssh server

Installing (Fedora)

yum install openssh-server


/etc/init.d/sshd start

Securing SSH

  1. Choose a strong password

    Don’t make it easy for hackers to guess your password.

    You can use password generator to generate strong passwords

  2. Install “DenyHosts” to auto-block bad clients

    Installing the “denyhosts” server which watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf:

    You can install denyhosts by this steps

    yum install denyhosts
    chkconfig denyhosts on
    /etc/init.d/denyhosts start
  3. Change the default port

    Most cracking attempts on your ssh server come from automated scripts that use port 22. For changing default 22 port edit /etc/ssh/sshd_config file

    vim /etc/ssh/sshd_config

    and change the line which reads “Port 22” to any other unused port (ex. 2223).

    #Port 22
    Port 2223
  4. Disable Protocol 1 which is insecure and allow Protocol 2

    #Protocol 2,1
    Protocol 2
  5. Disable root login

    #PermitRootLogin yes
    PermitRootLogin no
  6. Allow only specific users to login

    For example, to allow only the users “john”, “Jack” and users atarting “ge” to login, add the this line to sshd_config:

    AllowUsers john jack ge*
  7. Allow only specific IP addresses to connect

    Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:

    sshd: ALL

    Add to /etc/hosts.allow the network you want to allow. For example, add the following to /etc/hosts.allow:

  8. Allow only users with keys to connect; no passwords allowed

    in sshd_config change

    PasswordAuthentication no

    Bind the ssh server to a specific network interface – Edit sshd_config:


  9. Reduce the number of attempts to enter the password.

    in sshd_config change


Leave a Reply

Your email address will not be published. Required fields are marked *