How to install, config and secure openssh server

OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including username and password) over the wire in unencrypted form, and provides host authentication, to verify that you really are talking to the system that you think you are and that no one else can take over that session. Currently OpenSSH can be used with OpenBSD, NetBSD, FreeBSD, AIX, HP-UX, IRIX, Linux, NeXT, SCO, SNI/Reliant Unix, Solaris, Digital Unix/Tru64/OSF, Mac OS X, Cygwin.

Install OpenSSH
You will want your system can both receive and make connections via OpenSSH, so you will need to install server and client packages

For Ubuntu, Mint, or Debian based distributions

# apt-get install openssh openssh-server openssh-clients

For Fedora, Centos, or Red Hat based distributions

# yum install openssh openssh-server openssh-clients

Config and Secure OpenSSH

Default openssh config files
/etc/ssh/sshd_config – OpenSSH server configuration file.
/etc/ssh/ssh_config – OpenSSH client configuration file.

Default openssh port
TCP 22

There are a few tweaks and changes before you open up your ssh server to connections from the outside world.

1. Disable OpenSSH server
You should disable and remove openssh on machines that you don’t need connections to, like workstation, laptop

For Ubuntu, Mint, or Debian based distributions

# apt-get remove openssh-server

For Fedora, Centos, or Red Hat based distributions

# chkconfig sshd off
# yum erase openssh-server

You will need to update and restart your iptables if you have one to remove ssh exception rule.

# nano /etc/sysconfig/iptables

2. Only Use SSH Protocol 2
Make sure its in your openssh server config file

Protocol 2

3. Limit access to ssh server
Only allow certain user/users to access your ssh server and deny user/users you don’t want to access to ssh server.

To allow user/users, add this to sshd_config

AllowUsers tom marry mike

To deny

DenyUsers root jenny

Personally i highly suggest you deny root user on ssh server and ssh with normal unprivileged user, then you can become root after that.

To become root you can use su command

For Ubuntu, Mint, or Debian based distributions

$ sudo su

For Fedora, Centos, or Red Hat based distributions

$su -

# Config Idle Log Out Timeout Interval
You would not want to leave your ssh session unattended, having idle log out timeout is a good idea to do so. Here i set mine at 300 seconds or 5 minutes

ClientAliveInterval 300
ClientAliveCountMax 0

4. Disable .rhosts Files

IgnoreRhosts yes

6. Disable Host-Based Authentication
HostbasedAuthentication no

7. Disable root Login via SSH
As I mentioned before, you dont want to login with your root account. Besind deny user root, you should also disallow it.

PermitRootLogin no

8. Having a Warning Banner
This is not really effective to against somebody want to break in your ssh server, but it’s cool to have one and sort of legal warning.

Banner /etc/ssh_banner

Sample warning banner /etc/ssh_banner


The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law. All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no expectation of privacy.


8. Change SSH server port
After **deny and disallow root login** at number 3. and 7., I belive changing ssh server port to a non-standard port is the **second most important** effective way to prevent break in ssh server. I **belive** (I might be wrong) anything between port 1024 to 65535 is safe to use.

Port 10000

9. Disable Empty Passwords
You don’t want anyone to login to your ssh server with an empty password

PermitEmptyPasswords no
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments