SSH Configuration
Changing SSH Port
The SSH daemon listens on port 22 by default. To determine which port sshd is currently configured to listen on, you can use the following command to dump the currently loaded configuration and search the output for the port
parameter. Note that all of the following commands must be run as the root
user.
$ sshd -T | grep port
If after careful consideration you decide to change the port on which ssh listens for incoming connections, simply open /etc/ssh/sshd_config
with your favorite text editor and change the Port
line. It will usually be commented out with the default value of 22
.
Many users have noted that running ssh on SSL-enabled ports works for getting around firewalls.
Service | Port |
---|---|
HTTPS | 443 |
POP3 SSL | 993 |
SMTP SSL | 465 |
The following command will restart the ssh daemon process on systems using the init system.
$ /etc/init.d/sshd restart
Systems using systemd can use the following command to restart the ssh daemon.
$ systemctl restart sshd.service
Note that services supporting the systemd reload
command (such as the OpenSSH server daemon) may load updated configurations into memory without any downtime.
$ systemctl reload sshd.service
Disable Password Logins
Warning: if you did not setup your public keys you will have to login via the VPS console and fix everything manually
To check to see if you have password logins enabled run the following command as root
$ cat /etc/ssh/sshd_config | grep PasswordAuthentication
if it returns
PasswordAuthentication no
Then password logins are already disabled, if there is a # at the beginning of the line then you must remove the # before it will take affect
To disable password-less files open /etc/ssh/sshd_config
with your favorite editor and look for the following
PasswordAuthentication yes
Change it to
PasswordAuthentication no
if you do not see the PasswordAuthentication you may need to create it
You need to reload the ssh server for the changes to appear
$ /etc/init.d/ssh reload
Disable Root Logins
Warning: if you did not setup a user account and you are only using the root account please make a user account first
To check to see if you have root logins enabled run the following command as root
$ cat /etc/ssh/sshd_config | grep PermitRootLogin
if it returns
PermitRootLogin no
Then root logins are already disabled
To disable password-less files open /etc/ssh/sshd_config
with your preferred editor and look for the following
PermitRootLogin yes
Change it to
PermitRootLogin no
if you do not see the PasswordAuthentication you may need to create it
You need to reload the ssh server for the changes to appear
$ /etc/init.d/ssh reload
Using OpenSSH Keys
To Generate yourself a set of ssh keys use the following command
$ ssh-keygen -t rsa
Definition of passphrase:
A password that comprises a whole phrase. an example passphrase could be
my cat likes to eat flies
now for more security we could replace common letters with numbers
my cat lik35 t0 3at fli35
After you have generated your key you need to upload it to your host, the most common way would be via scp
$ scp ~/.ssh/id_rsa.pub username@example.com:~
Now login to your server and run the following commands
$ mkdir .ssh
$ cat id_rsa.pub >> .ssh/authorized_keys
$ rm id_rsa.pub