Overview
This document lists several helpful changes that you can make to your server to improve SSH security. We strongly recommend that you restrict and properly configure Secure Shell (SSH) access in order to secure your server.
Be careful who you grant SSH access to
If a user does not need SSH access, do not grant them access. To remove a user’s SSH access, use WHM’s Manage Shell Access interface (WHM » Home » Account Functions » Manage Shell Access).
Some users may need SSH access, but only need access to files in their home directory. We recommend that you assign a jailed shell environment to these users. For more information about jailed shells, read our VirtFS - Jailed Shell documentation.
Set an SSH Legal Message
The system can display an SSH legal message (message of the day, or motd) whenever someone logs in to your server through SSH.
To set the message, use your preferred text editor to edit the /etc/motd file and save your changes. For example, one of our technical analysts uses the following message:
|
|
Use SSH Keys
You can disable password authentication for SSH on your server, which will force users to log in through SSH with keys instead of passwords.
To do this, perform the following:
-
Use WHM’s Manage root’s SSH Keys interface (WHM » Home » Security Center » Manage root’s SSH Keys) to generate and download a key for the root user.
-
Use WHM’s SSH Password Authorization Tweak interface (WHM » Home » Security Center » SSH Password Authorization Tweak) to disable password authentication for SSH.
Strengthen SSH security
The /etc/ssh/sshd_config file contains your server’s configuration settings for SSH. We recommend that you change the following settings:
-
Port— The port number on which thesshddaemon listens for connections. The highest acceptable value is49151.Note:We recommend that you use a privileged port of
1-1023that another service does not currently use. Only therootuser can bind to ports1-1023. Anyone can use the unprivileged ports of1024and greater. -
Protocol— The SSH protocol that your server uses. We recommend that you change this value to2. -
ListenAddress— The IP address on which thesshddaemon listens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom DNS entry specifically for the new SSH IP address. To do so, create a zone file (for example,ssh.example.com) and add an A entry to the zone file for the new nameserver entry. -
PermitRootLogin— This option specifies whether you wish to allow people to directly log in to SSH as therootuser. We strongly recommend that you set this value tono.
Edit the sshd_config file
To configure the /etc/ssh/sshd_config file in order to tighten your server’s security, perform the following steps:
For CentOS 7, CloudLinux™ 7 and 8, AlmaLinux OS, Rocky Linux™, and Red Hat® Enterprise Linux® (RHEL) 7 firewall management, we recommend that you manage your server’s firewall with the /etc/firewalld/services/cpanel.xml file. You can read more about this file in our How to Configure Your Firewall for cPanel & WHM Services documentation.
-
Log in to your server as the
rootuser via SSH. If your server does not allow directrootlogins to SSH, log in as your wheel user and use thesucommand to become therootuser. -
Back up the
sshd_configfile with the following command:cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak`date +%F` -
Open the
/etc/ssh/sshd_configfile with a text editor. -
To change a parameter in the
sshd_configfile, uncomment the line that contains the parameter. To do this, remove the number-sign character (#) and change the value for the line.For example, the default SSH port appears in a line similar to the following example:Important:If you change the default SSH port, you must update your server’s firewall configuration to allow traffic to the new port. For more information about firewall configuration, read our How to Configure Your Firewall for cPanel & WHM Services documentation.
To change the SSH port to#Port 22456, edit that line to resemble the following example:Port 456
After you configure SSH, run the /scripts/restart_sshd script or the service sshd restart command to restart the SSH daemon.
After you restart SSH, log out of your server and log in again with the user, IP address, and port number that you specified in the sshd_config file.
If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where example.com represents the server’s hostname or main IP address):
https://example.com:2087/scripts2/doautofixer?autofix=safesshrestart
This script attempt to will temporarily configure an additional SSH configuration file for port 22, which will allow you to access, edit, and fix the original SSH configuration file. If another service or daemon uses port 22, the script will configure an additional SSH configuration file for port 23.
Example sshd_config File
Do not copy the the example file below and attempt to use it on your server. It will break your SSH service configuration. This file is only an example.