Securing SSH

Securing SSH

The SSH Configuration File

You can find the SSH configuration file at /etc/ssh/sshd_config

To edit this file, you will need to log into your server as the root user. Once you have logged into your normal user account via SSH, you can become the root user by using the su command. For example:


This email address is being protected from spambots. You need JavaScript enabled to view it. [~]# su -
root@host [~]# 


Editing the SSH Configuration File

To change specific parameters within sshd_config, you need to uncomment the line by removing the number-sign (#) and changing the value for the line. For example, the default SSH port appears in a line like this:


#Port 22

To change the SSH port to 456, you will need to make the line appear like this:


Port 456

NOTE: If you are changing the default SSH port then you NEED to allow the new port in the servers firewall (iptables,csf,ufw etc) before restarting SSH, otherwise you will lose access.

To restart the SSH service on the new port:

service sshd restart


Recommended Changes to sshd_config


  • Port — The port number on which sshd listens for connections. The highest acceptable value is 49151.
    Warning: We recommend that you use a port number that is less than 1024 that is not already utilized by another service. These are known as "privileged" ports, because only root can bind to them. Ports 1024 and above are known as "unprivileged" ports, and anyone can use them.
  • Protocol — The SSH protocol your server will use. We recommend changing this value to 2.
  • Listen Address — The IP address on which sshd listens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom nameserver entry specifically for the new SSH IP address. To do so, you will need to create the zone file (for example, and add an A entry to the zone file for the new nameserver entry.
  • PermitRootLogin — This option specifies whether or not you wish to allow people to directly log in via SSH as the root user. We strongly recommend that you set this value to no.

After you are finished configuring SSH, you will need to restart the SSH daemon. You can do so by issuing the following command: /etc/init.d/sshd restart

After you restart SSH, you will need to log out of your server and log in again using the proper user, IP address, and port number you specified in sshd_config.

If you accidentally misconfigure your SSH configuration file, you can access the following link to run a script on your server:

This script will temporarily configure an additional SSH configuration file for port 23, allowing you to access, edit, and fix the original SSH configuration file.


Setting an SSH Legal Message

An SSH legal message (message of the day or motd) appears whenever someone logs into your server via SSH. This message is contained within the following file: /etc/motd

To set a legal message, use your preferred text editor to edit the file and save your changes. For example, one of our technical analysts uses the following message:


ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.


Use SSH Keys

You can use WHM's Home >> Security Center >> SSH Password Authorization Tweak feature to disable password authentication. Disabling password authentication forces users to login via SSHusing keys rather than passwords.

Add comment

Security code