SSH servers listen for incoming connections on TCP port 22. Therefore, port 22 is
subjected to unauthorized login attempts by hackers trying to access unsecured
servers. To prevent unauthorized server assess, you can turn off port 22 and run the
service on a random port between 1024 and 65535.
The following task requires root
access privileges.
Aspera® transfer products ship with OpenSSH listening on both TCP/22
and TCP/33001. Aspera recommends using TCP/33001 only and disabling TCP/22.
-
Use a text editor to open the SSH configuration
file.
Note: Before changing the default port for SSH connection, verify with your
network administrators that TCP/33001 is open. Notify users of the port
change
-
Add the new SSH port
Port 22
Port 33001
Note: Before changing the default port for SSH connections, verify that
TCP/33001 is open.
To enable TCP/33001 while you are migrating from
TCP/22, open port 33001 within the sshd_config file where
SSHD is listening on both ports.
-
Disable TCP/22 by commenting it out in the sshd_config
file.
-
Disable TCP/22 by modifying /etc/services so that the only
open SSH port is TCP/33001.
-
In OpenSSH versions 4.4 and later, disable SSH tunneling to avoid potential
attacks by adding the following lines at the end of the
sshd_config file. As a result only Root users
are permitted to tunnel.
...
AllowTcpForwarding no
Match Group root
AllowTcpForwarding yes
Depending on your sshd_config file, you may have additional
instances of AllowTCPForwarding that are set to the default
Yes. Review your sshd_config file for
other instances and disable as appropriate.
Disabling TCP forwarding does not improve security unless users are also
denied shell access, as they can always install their own forwarders. Review
your user and file permissions, and see the following instructions on
modifying shell access.
-
Update authentication methods by adding or uncomment
PubkeyAuthentication yes in the
sshd_config file and comment out
PasswordAuthentication yes.
...
PubkeyAuthentication yes
#PasswordAuthentication yes
PasswordAuthentication no
...
-
Disable root login by commenting out PermitRootLogin yes in
the sshd_config file and adding PermitRootLogin
No.
...
#PermitRootLogin yes
PermitRootLogin no
...
Administrators can then use the su command if root
privileges are needed.
-
Restart the SSH server to apply the new settings.
Restart or reload the SSH Server using the following commands:
OS Version |
Instructions |
RedHat (restart) |
$ sudo service sshd restart
|
RedHat (reload) |
$ sudo service sshd reload
|
Debian (restart) |
$ sudo /etc/init.d/ssh restart
|
Debian (reload) |
$ sudo /etc/init.d/ssh reload
|