Securing an SSH Server

SSH servers listen for incoming connections on TCP port 22. Therefore, port 22 is subjected to unauthorized login attempts by hackers trying to access unsecured servers. To prevent unauthorized server assess, you can turn off port 22 and run the service on a random port between 1024 and 65535.

The following task requires root access privileges.

Aspera® transfer products ship with OpenSSH listening on both TCP/22 and TCP/33001. Aspera recommends using TCP/33001 only and disabling TCP/22.

  1. Use a text editor to open the SSH configuration file.
    /etc/ssh/sshd_config
    Note: Before changing the default port for SSH connection, verify with your network administrators that TCP/33001 is open. Notify users of the port change
  2. Add the new SSH port
    Port 22
    Port 33001
    Note: Before changing the default port for SSH connections, verify that TCP/33001 is open.

    To enable TCP/33001 while you are migrating from TCP/22, open port 33001 within the sshd_config file where SSHD is listening on both ports.

  3. Disable TCP/22 by commenting it out in the sshd_config file.
  4. Disable TCP/22 by modifying /etc/services so that the only open SSH port is TCP/33001.
  5. In OpenSSH versions 4.4 and later, disable SSH tunneling to avoid potential attacks by adding the following lines at the end of the sshd_config file. As a result only Root users are permitted to tunnel.
    ...
    AllowTcpForwarding no
    Match Group root
    AllowTcpForwarding yes

    Depending on your sshd_config file, you may have additional instances of AllowTCPForwarding that are set to the default Yes. Review your sshd_config file for other instances and disable as appropriate.

    Disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. Review your user and file permissions, and see the following instructions on modifying shell access.

  6. Update authentication methods by adding or uncomment PubkeyAuthentication yes in the sshd_config file and comment out PasswordAuthentication yes.
    ...
    PubkeyAuthentication yes
    #PasswordAuthentication yes
    PasswordAuthentication no
    ...
  7. Disable root login by commenting out PermitRootLogin yes in the sshd_config file and adding PermitRootLogin No.
    ...
    #PermitRootLogin yes
    PermitRootLogin no
    ...

    Administrators can then use the su command if root privileges are needed.

  8. Restart the SSH server to apply the new settings.

    Restart or reload the SSH Server using the following commands:

    OS Version Instructions
    RedHat (restart)
    $ sudo service sshd restart
    RedHat (reload)
    $ sudo service sshd reload
    Debian (restart)
    $ sudo /etc/init.d/ssh restart
    Debian (reload)
    $ sudo /etc/init.d/ssh reload