Securing an SSH Server

SSH servers listen for incoming connections on TCP port 22. Therefore, port 22 is subjected to unauthorized login attempts by hackers trying to access unsecured servers. To prevent unauthorized server assess, you can turn off port 22 and run the service on a random port between 1024 and 65535.

The following task requires Administrator access privileges.

Aspera® transfer products ship with OpenSSH listening on both TCP/22 and TCP/33001. Aspera recommends using TCP/33001 only and disabling TCP/22.

  1. Use a text editor to open the SSH configuration file.
    Note: Before changing the default port for SSH connection, verify with your network administrators that TCP/33001 is open. Notify users of the port change
  2. Add the new SSH port
    Port 22
    Port 33001
    Note: Before changing the default port for SSH connections, verify that TCP/33001 is open.

    The OpenSSH suite included in the installer uses TCP/22 and TCP/33001 as the default ports for SSH connections. Aspera recommends disabling TCP/22 to prevent security breaches of your SSH server.

  3. Disable TCP/22 by commenting it out in the sshd_config file.
  4. In OpenSSH versions 4.4 and later, disable SSH tunneling to avoid potential attacks by adding the following lines at the end of the sshd_config file. As a result only Administrator group users are permitted to tunnel.
    AllowTcpForwarding no
    Match Group Administrators
    AllowTcpForwarding yes

    Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable as appropriate.

  5. Update authentication methods by adding or uncomment PubkeyAuthentication yes in the sshd_config file and comment out PasswordAuthentication yes.
    PubkeyAuthentication yes
    #PasswordAuthentication yes
    PasswordAuthentication no
  6. Restart the SSH server to apply the new settings. Navigate to Control Panel > Administrative Tools > Services. Locate the OpenSSH Service and click Restart.