SSH is the foundation of any Unix/Linux system remotely administered. It is also, along with Windows RDP protocol, one of the two main targets for attackers.
Securing your SSH means lowering the risks of losing a service or essential data. Throughout this article, we will show you how to secure SSH and improve its performance a bit.
The main entity being attacked is root. By default SSH allows remote root access, but hackers love to brute-force this account. I suggest you create a backdoor user that will only be there to allow the root connection. Do not use a common name for this user but rather something that wouldn’t be in a dictionary.
Modify the PermitRootLogin attribute to forbid root login:
PermitRootLogin no
Classically SSH is in version 2. On some rather old versions of Linux your system may have kept SSH version 1 and only use DSA encryption.
The Protocol option lets you specify which version to use.
Protocol 2
Note: On recent versions of OpenSSH it is no longer possible to select protocol version 1, neither on the client nor on the server.
To go further in securing your setup, you can change the SSH port to one that attackers will rarely or never target. Use the Port directive to make this change (be careful that the port is not already in use!)
Port 9870
You can also restrict SSH to some network interfaces so that it is not exposed on the internet for instance. To do so, change the ListenAddress directive by specifying which listening interfaces/IPs are allowed (IPv6 is supported):
ListenAddress 121.254.36.2, eth4