Secure The Default SSH Configuration

SSH is a secure protocol used for system administration, tunneling and many useful things that a secure encrypted channel can offer. Due to the importance it has on a system attackers tend to make it a priority when scanning for ports. Increasing the level of awareness and security requires common sense to avoid using short password and common user names like “user” on a system exposed to the Internet. The location of the OpenSSH configuration may vary depending on the Linux distribution you are using, the fundamentals still remain the same.

  • When the sign # is present it means previous value

Improve the default configuration

On Debian based distribution the configuration for OpenSSH can be found at.


Usually the attacker will scan for common or default ports, SSH uses port 22. In order to reduce the amount of failed attempts on a system change the port to a number above 1024.

#Port 22
Port 1520

OpenSSH offer two protocols SSH1 and SSH2, all just need to is SSH1 is insecure. The solution is to simply select protocol 2.

#Protocol 2,1
Protocol 2

The Root account has no need to be reachable from the Internet, instead create a user with privileges. You do not want to grant the attacker a nuke!. Deny login access to the root account from the Internet.

#PermitRootLogin yes
PermitRootLogin no

Automated attacks benefit from default configurations, like allowing a high number of invalid attempts, limit the number of fails attempts before denying and requiring another attempt.

#MaxAuthTries 6
MaxAuthTries 2

Now lets limit the amount of unauthenticated connection the SSH server will handle at the same time. When we make the numbers smaller than the default of 10 we are making it harder for the attacker to coordinate an attack with multiple connections. The new values tell the SSH server to allow 3 users at the same time then randomly and increasingly drop the connections between 2 / 8.

#MaxStartups 10
MaxStartups 2:40:8

By default the SSH server will hold open an unauthenticated connection for 2 minutes which is a long time in the Internet, 30 seconds is more than enough time to log in.

#LoginGraceTime 2m
LoginGraceTime 30

SSH keys are far more secure than passwords, do not run the risk of an attacker guessing you password. Disable password authentication and only allow access by using SSH keys.

#PasswordAuthentication yes
PasswordAuthentication no

This may seem basic but we are actually giving the attacker a run for his or her money. For the changes to take effect restart OpenSSH.

/etc/init.d/sshd restart