Linux SSH Server (sshd) Configuration and Security Options With Examples

Secure Shell or with its most know name SSH is a protocol developed to connect IT systems remotely and securely. SSH works as expected client server architecture. In this post we will look various security related configuration options of the SSH daemon service or sshd. The tutorial about the client side ssh configuration can be found in the following link

Server Configuration File

Ssh generally works as a service or daemon. This service starts by reading some configure file about the service. This configuration file is located at /etc/ssh/sshd_config . In most Linux distributions the file is used as startup config. In order to modify configuration file we need root privileges.

$ head /etc/ssh/sshd_config
Server Configuration File
Server Configuration File


Some rules requires comments about them. Comment are created with # lines. Comments have no effect about sshd configuration.

#This is just a comment.

Restart Ssh Service

After ssh configuration file changes ssh service or daemon should be restart to take effect new configuration. There are different ways to restart ssh service but the most global way to restart ssh daemon is using systemctl command like below.

$ sudo systemctl restart sshd

Stop Ssh Service

If the ssh is not used and we have direct access to the system stopping ssh service is more secure choose. We will stop ssh service with systemctl command

$ sudo systemctl stop sshd

Check Ssh Service Status

After configuration changes we restart the ssh service but how can be sure it is working. There are different ways but most appropriate way is using systemctl to get status of the service. This command also provide last logs about the service those can provide hints about configurations errors or similar things.

$ sudo systemctl status sshd
Check Ssh Service Status
Check Ssh Service Status

Specify Protocol Version

Ssh have two versions. As we expect version 1 is the old and non secure version. It is abandoned in long time ago but some ssh configurations may contain this version enabled. We will only enable the version 2 with following line.

Protocol 2

Allowed Users

By default all users in created on the system can login remotely. Enabling all users remote login opportunity is not a good security practice. We can limit login for specified users like below. In this example we only allow user ismail to login remotely by using ssh.

AllowUsers ismail

Denied Users

Another way to limit users login is specifying user account those do not have right to login remotely by using ssh. All other users than specified ones will have remote access. In this example we deny remote access for user root . Denying access for root is a good security practice.

DenyUser root

Specify IP Address and Interface To Run

By default when ssh service is started it runs on all interfaces and IP addresses. This may create some security problem if the system have more than one network interface where some of them are in secure side. We can restrict the ssh service interface to run. Ssh service will not accept connections from other interfaces.


Configure Session Timeout

After connection is established the connection is stayed in open state forever if not closed explicitly. This is not a wanted situation for resource usage and security. We should define a timeout value which will close session after this time of inactivity. In this example we set this values as 120 seconds

ClientAliveInterval 120

Disable Root Login

One of the best practices is disabling root account remote login. If there are other high privileged well known accounts these accounts must be disabled too.

PermitRootLogin no

Configure Banner

While connecting systems remotely with ssh providing information warning information about the system is good way to prevent some attacks.

Banner "This system is monitored and logged in real time. In the case of attacks the legal actions will be taken against attacker."

Change Port Number

By default ssh uses TCP port 22 as port number. Most of the users and attackers assumes this default and takes action to the TCP port 22. If there is no operations cost changing the ssh server port is the best way. In the example we use port 1234 as ssh daemon port.

Port 1234

Disable Password Authentication

Password authentication is a simple method for user to authenticate themselves. But it is more simpler than other method for attackers to crack too. Users generally prefer simple and easy to remember passwords which make attackers work easy. We can disable password based authentication.

PasswordAuthentication no

But the users should be all ready setup Public key based authentication in order to resume using ssh server. More information about how to setup public key based authentication can be found in the following link.

LEARN MORE  How To Specify Ssh Keys When Running Shell Command Like Git,Rsync

Only Public Key Based Authentication

By default public key authentication is enabled but enabling it explicitly will make it more reliable.

PubkeyAuthentication yes

Disable Empty Passwords

Another great risk for ssh daemon is empty passwords. Modern Linux distributions generally prohibits empty passwords but disabling empty passwords will make us sure.

PermitEmptyPasswords no

Enable Strict Mode

StrictMode  checks some cases before the ssh server starts. Ssh key, configuration files ownership, permission checks are performed before ssh daemon starts. If one of them fails the ssh server daemon do not starts. Strict mode is enabled by default but generally closed by system administrators. For security reasons it should be enabled.

StrictMode yes

Disable X11 Forwarding

One of the best feature for ssh is forwarding X11 over remote connections. This is very useful feature for some system administrators and users. But this can create some security holes in the system. If X11 forwarding is not needed disable it.

X11Forwarding no

Update Ssh Software

Now the last but one of the most important rule to make ssh servers and daemons secure. Updating is the magical way to make ssh more secure.

Ubuntu, Debian, Mint:

$ sudo apt upgrade ssh

Fedora, Kali, CentOS:

$ sudo yum update ssh

1 thought on “Linux SSH Server (sshd) Configuration and Security Options With Examples”

Leave a Comment