cPanel & WHM 11.32
Installation Guides
cPanel User Guide
WHM User Guide
Apache & WHM
Change Log
Software Development Kit
Enkompass
Installation Guide
Help Files & Glossary
Change Log
Additional Documentation
PCI Compliance
cPanel Game Server (cPGS)
All English Documentation
Español – Documentación completa
RSS Feed
Installation Guides
cPanel User Guide
WHM User Guide
Apache & WHM
Change Log
Software Development Kit
Enkompass
Installation Guide
Help Files & Glossary
Change Log
Additional Documentation
PCI Compliance
cPanel Game Server (cPGS)
All English Documentation
Español – Documentación completa
RSS Feed
Securing SSH
For WHM version 11.32 Restricting and properly configuring SSH access is an essential step in securing your server.The SSH Configuration File
You can find the SSH configuration file at/etc/ssh/sshd_config
To edit this file, you will need to log into your server as the root user. Once you have logged into your normal user account via SSH, you can become the root user by using the su command. For example:
user@example.com [~]# su - Password: root@host [~]#
Editing the SSH Configuration File
To change specific parameters withinsshd_config, you need to uncomment the line by removing the number-sign (#) and changing the value for the line. For example, the default SSH port appears in a line like this:
To change the SSH port to 456, you will need to make the line appear like this:#Port 22
Port 456
Recommended Changes to sshd_config
- Port — The port number on which
sshdlistens for connections. We recommend picking any 4 or 5 digit number. The highest acceptable value is 49151. - Protocol — The SSH protocol your server will use. We recommend changing this value to 2.
- Listen Address — The IP address on which
sshdlistens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom nameserver entry specifically for the new SSH IP address. To do so, you will need to create the zone file (for example,ssh.example.com) and add an A entry to the zone file for the new nameserver entry. - PermitRootLogin — This option specifies whether or not you wish to allow people to directly log in via SSH as the root user. We strongly recommend that you set this value to
no.
/etc/init.d/sshd restart
After you restart SSH, you will need to log out of your server and log in again using the proper user, IP address, and port number you specified in sshd_config.
If you accidentally misconfigure your SSH configuration file, you can access the following link to run a script on your server: https://example.com/scripts2/doautofixer?autofix=safesshrestart
This script will temporarily configure an additional SSH configuration file for port 23, allowing you to access, edit, and fix the original SSH configuration file.
Example sshd_config File
Warning: Do not copy the the example file below and attempt to use it on your server — it will result in a broken SSH configuration. This file is only an example.
Show... Hide # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 3456 Protocol 2 #AddressFamily any ListenAddress 192.168.0.1 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no #PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of #PasswordAuthentication no # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
Setting an SSH Legal Message
An SSH legal message (message of the day ormotd) appears whenever someone logs into your server via SSH. This message is contained within the following file: /etc/motd
To set a legal message, use your preferred text editor to edit the file and save your changes. For example, one of our technical analysts uses the following message:
ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies.
Use SSH Keys
You can use WHM's Main >> Security Center >> SSH Password Authorization Tweak feature to disable password authentication. Disabling password authentication forces users to login via SSH using keys rather than passwords.Topic revision: r13 - 26 Oct 2011 - 14:00:17 - Main.JustinSchaefer
AllDocumentation/WHMDocs.SecureSSHConfig moved from Sandbox.SecureSSHConfig on 16 Jul 2010 - 18:31 by Main.JustinSchaefer - put it back
Copyright © cPanel 2000–2011.