How to harden SSH - Basic guide

This post (unlike my other two) is not going to be a ranty post about something that annoys me. This in truth is more of a reference guide on how to harden OpenSSH. I’m not going to do a massive paragraph on what is ssh, if you reading this you likely already know - however for background, ssh stands for secure shell, and is one of the most popular ways to administer Linux (and sometimes windows) servers. Because it is so popular, it is often the first point of call when a hacker is looking for an attack vector.

STEP 1 - Creating a backup

SSH is one of the easier things to modify within Linux, however, it is always best practice to create a backup file incase you mess it up. You can do this using the following command

sudo cp /etc/ssh/sshd_config ~/sshd_config.bkup

STEP 2 - Basic hardening

You are now going to want to access the original file, ill be using vim in this but you can swap that out for your prefered editor

sudo vim /etc/ssh/sshd_config

On a very basic level, you are going to want to change the following settings to these parameters

  • AddressFamily inet : Makes it so your server only accepts ipv4 ssh connections
  • PermitRootLogin No : This prevents the user from directly logging in as root, which is considered best practise
  • MaxAuthTries 3 : This makes it so the user can only attempt 3 password entries before being booted, helping to slow down brute force attacks
  • LoginGraceTime 20 : This sets it so the user only has 20s to log in before being booted
  • PasswordAuthentication no : Makes it so you authenticate with keys rather than passwords, making the server significantly more secure
  • PermitEmptyPasswords no : This prevents logins if a users password is set to a blank or empty value

SSH also can let the user authenticate with other methods other than passwords (which we have already disabled) and keys. Given in 90% of cases we will not be using that, it makes sense to disable these to lower our attack surface

  • KerberosAuthentication no
  • GSSAPIAuthentication no

There are a few other options you can disable if they are not being used on your server

  • X11Forwarding no : Prevents the display of remote graphics over ssh
  • PermitUserEnviroment no : Prevents client from passing in customer environment variables. If you do this make sure to # out any references to AcceptEnv in the config file
  • AllowAgentForwarding no
  • AllowTcpForwarding no
  • PermitTunnel no

Finally, you can disable the ssh banner that displays when you connect using the following

  • DebianBanner no

You reload the shhd settings using the following

sudo service sshd reload

STEP 2 - Change your f**king port

Look, this is always needed - In truth if you already did what I suggested above then your SSH is pretty secure. This being said it is considered best practice to change your ssh port away from the standard 22 to something random and high. I will be using the example 1234 in this but I would strongly advise against this, just use a random number generator and that will give you one to use.

To do this first thing you want to do is go into your sshd_config file we were editing in the last step. Change the following parameter

  • Port 1234

Reload your ssh and now your port should be different. From now on your going to have to put -p 1234 at the end when you ssh into a server.

Now we’re going to install a firewall, specifically the UFW. You can use IP tables, but in general, I like to apply the golden rule of KISS (Keep It Simple Stupid) - Don’t overcomplicate it. On a Debian-based server, we would use

sudo apt install ufw

By default, your firewall isn’t going to be up you can check that with the following command

sudo ufw status

and it should come back with Status: inactive.

Next were going to add out new ssh port using

sudo ufw allow 1234

Now your going to bring your server back up with

sudo ufw enable

Now before you log out, just try and log in from another terminal to make sure the firewall hasn’t kicked you out - if it lets you in then you’re set


A general purpose blog for me to braindump anything I might be thinking about. Please dont hesistate to reach out if you have any questions