How to Secure SSH

Overview

This document lists several helpful changes that you can make to your server to improve SSH security. We strongly recommend that you restrict and properly configure Secure Shell (SSH) access in order to secure your server.

Be careful who you grant SSH access to

If a user does not need SSH access, do not grant them access. To remove a user’s SSH access, use WHM’s Manage Shell Access interface (WHM >> Home >> Account Functions >> Manage Shell Access).

Some users may need SSH access, but only need access to files in their home directory. We recommend that you assign a jailed shell environment to these users. For more information about jailed shells, read our VirtFS – Jailed Shell documentation.

The system can display an SSH legal message (message of the day, or motd) whenever someone logs in to your server through SSH.

To set the message, use your preferred text editor to edit the /etc/motd file and save your changes. For example, one of our technical analysts uses the following message:

1
2
3
4
5
6
7

ALERT! You have entered a secured area! The system has recorded
your IP and login information, and it has notified the administrator.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. The system administrator will fully
investigate and report unauthorized activity to the appropriate law
enforcement agencies.

Use SSH Keys

You can disable password authentication for SSH on your server, which will force users to log in through SSH with keys instead of passwords.

To do this, perform the following:

  1. Use WHM’s Manage root’s SSH Keys interface (WHM >> Home >> Security Center >> Manage root’s SSH Keys) to generate and download a key for the root user.

  2. Use WHM’s SSH Password Authorization Tweak interface (WHM >> Home >> Security Center >> SSH Password Authorization Tweak) to disable password authentication for SSH.

Strengthen SSH security

The /etc/ssh/sshd_config file contains your server’s configuration settings for SSH. We recommend that you change the following settings:

  • Port — The port number on which the sshd daemon listens for connections. The highest acceptable value is 49151.

    Note:

    We recommend that you use a privileged port of 11023 that another service does not currently use. Only the root user can bind to ports 11023. Anyone can use the unprivileged ports of 1024 and greater.

  • Protocol — The SSH protocol that your server uses. We recommend that you change this value to 2.

  • ListenAddress — The IP address on which the sshd daemon listens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom DNS entry specifically for the new SSH IP address. To do so, create a zone file (for example, ssh.example.com) and add an A entry to the zone file for the new nameserver entry.

  • PermitRootLogin — This option specifies whether you wish to allow people to directly log in to SSH as the root user. We strongly recommend that you set this value to no.

Edit the sshd_config file

To configure the /etc/ssh/sshd_config file in order to tighten your server’s security, perform the following steps:

Note:

For CentOS 7 and 8, CloudLinux 7 and 8, AlmaLinux 8, and RHEL 7 firewall management, we recommend that you manage your server’s firewall with the /etc/firewalld/services/cpanel.xml file. You can read more about this file in our How to Configure Your Firewall for cPanel & WHM Services documentation.

  1. Log in to your server as the root user via SSH. If your server does not allow direct root logins to SSH, log in as your wheel user and use the su command to become the root user.

  2. Back up the sshd_config file with the following command: 

    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak`date +%F`

  3. Open the /etc/ssh/sshd_config file with a text editor.

  4. To change a parameter in the sshd_config file, uncomment the line that contains the parameter. To do this, remove the number-sign character (#) and change the value for the line.

    Important:

    If you change the default SSH port, you must update your server’s firewall configuration to allow traffic to the new port. For more information about firewall configuration, read our How to Configure Your Firewall for cPanel & WHM Services documentation.

    For example, the default SSH port appears in a line similar to the following example:

    #Port 22

    To change the SSH port to 456, edit that line to resemble the following example:

    Port 456

After you configure SSH, run the /scripts/restart_sshd script or the service sshd restart command to restart the SSH daemon.

After you restart SSH, log out of your server and log in again with the user, IP address, and port number that you specified in the sshd_config file.

Warning:

If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where example.com represents the server’s hostname or main IP address):

https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart

Example sshd_config File

Warning:

Do not copy the the example file below and attempt to use it on your server. It will break your SSH service configuration. This file is only an example.

Click to view…

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 456
#AddressFamily any
ListenAddress 192.168.69.187
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes


# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox      # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server