Security to Ssh service

Change SSH listening port

SSH listens for connections on port 22. Attackers use port scanner software to see whether hosts are running an SSH service. It’s wise to change the SSH port to a number higher than 1024 because most port scanners (including nmap) by default don’t scan high ports.

Open the /etc/ssh/sshd_config file and look for the line that says:

Port 22

Change the port number and restart the SSH service:

/etc/init.d/ssh restart

Allow only specific users to log in via SSH

You should not permit root logins via SSH, because this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:

PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any other defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. When creating this user, make sure it’s in the wheel group, so that you can switch to superuser.

If you would like to have a list of users who are the only ones able to log in via SSH, you can specify them in the sshd_config file. For example, let’s say I want to allow users fox1 and fox2 to log in via SSH. At the end of sshd_config file I would add a line like this:

AllowUsers fox1 fox2