5 Best Practices to Secure and Protect SSH Server

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Ravi Saive

I am Ravi Saive, creator of TecMint. A Computer Geek and Linux Guru who loves to share tricks and tips on Internet. Most Of My Servers runs on Open Source Platform called Linux. Follow Me: Twitter, Facebook and Google+

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

19 Responses

  1. Gonzalo says:

    This looks like the author lives in 1999!

  2. jiten chadva says:

    If CSF is running then no need of any, but I recommend you to disable root login

  3. Mohsin Khan says:

    one must disable ssh root access to save server from basic hacking attempts.

  4. Akhilesh says:

    Hi Ravi – The site looks really fabulous as it answers almost all Linux queries, a very great job, special thanks to you and the team of yours.

    I am a new member who registered just 30 mins ago. I love Linux.

  5. Harry says:

    Adding Google’s “Google Authenticator” PAM module is a real bonus IMHO – you can use their free smartphone app to prompt for a one-time passcode in addition to your password if you attempt to log in without an RSA/DSA key – very useful if you’re connecting via an untrusted machine.

  6. Gerhard says:

    Displaying an SSH banner is unforgivably annoying and interferes with scp even in quiet mode forcing script writers to redirect the output of scp to /dev/null and therefore losing possible error reports that could otherwise have been sent to root.

  7. Mark B. says:

    Another good security tip is to run sshd on a non-standard port. See the “Port” option in /etc/sshdconfig. This will vastly cut down on login attempts by crackers.

    • Fiisch says:

      This is hardly any improvement. It will help you to get rid of script kiddies. If someone does portscan on the machine, it is the same as if you were running it on 22. Also this setting can confuse those who use ssh on daily basis.
      Besides, scripts kiddies can do portscans too.

      • Mark B. says:

        From my own experience, using a non-default port for ssh completely eliminated login attempts by crackers. Works for me.

        • Fiisch says:

          I don’t doubt that changing default port can reduce number of tries but completely eliminating attempts seems too strange to me.
          My point was, if someone targets your server and tries a little bit more than a quick blind attempt, it doesn’t really matter which port you are running ssh on.

          • Mark B. says:

            That’s true, but every bit helps. A long time ago I had already done the items listed in this article to secure my ssh server.

  8. Jacob says:

    Is it necessary to use any of these when CSF firewall is running?

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.