This article describes how to modify the default sshd settings to ensure sshd security and restriction, and protect your server from hacker intrusion. Every time you change the sshd configuration file, you need to restart sshd. In this way, your current connection will not be closed. Make sure that you have a separate terminal to log on as root to prevent incorrect configuration. In this way, you can avoid using the root permission to correct errors during misconfiguration. To change the default ssh port number, we recommend that you
This article describes how to modify the default sshd settings to ensure sshd security and restriction, and protect your server from hacker intrusion. Every time you change the sshd configuration file, you need to restart sshd. In this way, your current connection will not be closed. Make sure that you have a separate terminal to log on as root to prevent incorrect configuration. In this way, you can avoid using the root permission to correct errors during misconfiguration.
Change the ssh default port number
First, we recommend that you change the default sshd port 22 to a port number larger than 1024. Most port scanners only scan ports below 1024 by default. Open the sshd configuration file/etc/ssh/sshd_config and find the following code:
And changed:
Restart sshd now:
1 |
/Etc/init. d/sshrestart |
From now on, you need to use port 10000 to log on to the server:
1 |
Ssh-p 10000 name@myserver.local |
Only allow specified host connection
In this step, the IP address of the client is used to restrict the connection to the server through ssh. Edit the/etc/hosts. allow file and add the following code:
X indicates the IP addresses allowed to log on to sshd. if multiple IP addresses are allowed to log on, separate them with spaces.
Now, edit the/etc/hosts. deny file to reject all other host logins:
Only the specified user is allowed to log on
Not every user needs to use ssh to connect to the server. Only the specified user is allowed to connect to the server through ssh to enhance security. For example, you can only allow foobar to connect to the server through ssh, edit/etc/ssh/sshd_config, and add the following code:
To add multiple users, separate them with spaces.
Deny root ssh logon
Generally, it is wise not to allow root users to connect to the server through ssh. You can edit the/etc/ssh/sshd_config file or add the following code: