Modify server configuration to lock down incoming SSH connections

Mark Shust
InstructorMark Shust
Share this video with your friends

Social Share Links

Send Tweet
Published 6 years ago
Updated 4 years ago

Learn how to modify the sshd_config configuration file to lock down incoming SSH connections. You can filter and prevent incoming SSH connections by username, IP address, as well as other methods.

Instructor: [0:01] SSH by default is fairly secure. However, there are a few configuration settings you can modify to make things even more secure. Open up the sshd configuration file located at /edc/ssh/sshd_config. In this file, disable the ability to log in to the root user by toggling PermitRootLogin to no.

[0:28] If you would still like to be able to access the server with root, but don't want passwords to be used, you can also specify prohibit-password as the value, which will disable logins to root by password, but allow other connections with SSH keys. You can also completely disable password authentication for the entire server by setting the value for PasswordAuthentication to no.

[0:54] Let's say you want to lock things down even further, and only allow SSH connectivity for specific users. Search for or create the AllowUsers directive. The value for this option is a space-delimited list of users, or user IP connection strings. In this manner, you can lock down SSH for only specific users.

[1:17] You can also allow specific users only coming from specific IP addresses, or you can allow all users connecting from specific IP addresses. Be sure to restart the SSH service after applying updates to the configuration file by running service ssh restart.