How to Secure SSH
Last modified: August 28, 2019
This document lists several helpful changes that you can make to your server to improve SSH security. We strongly recommend that you restrict and properly configure Secure Shell (SSH) access in order to secure your server.
Be careful who you grant SSH access to
If a user does not need SSH access, do not grant them access. To remove a user’s SSH access, use WHM’s
Manage Shell Access interface (WHM >> Home >> Account Functions >> Manage Shell Access).
Some users may need SSH access, but only need access to files in their home directory. We recommend that you assign a jailed shell environment to these users. For more information about jailed shells, read our VirtFS - Jailed Shell documentation.
Set an SSH Legal Message
The system can display an SSH legal message (message of the day, or
motd) whenever someone logs in to your server through SSH.
To set the message, use your preferred text editor to edit the
/etc/motd file and save your changes. For example, one of our technical analysts uses the following message:
ALERT! You have entered a secured area! The system has recorded
your IP and login information, and it has notified the administrator.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. The system administrator will fully
investigate and report unauthorized activity to the appropriate law
Use SSH Keys
You can disable password authentication for SSH on your server, which will force users to log in through SSH with keys instead of passwords.
To do this, perform the following:
Manage root’s SSH Keys interface (WHM >> Home >> Security Center >> Manage root’s SSH Keys) to generate and download a key for the root user.
SSH Password Authorization Tweak interface (WHM >> Home >> Security Center >> SSH Password Authorization Tweak) to disable password authentication for SSH.
Strengthen SSH security
/etc/ssh/sshd_config file contains your server’s configuration settings for SSH. We recommend that you change the following settings:
Port — The port number on which the
sshd daemon listens for connections. The highest acceptable value is
We recommend that you use a privileged port of
1023 that another service does not currently use. Only the
root user can bind to ports
1023. Anyone can use the unprivileged ports of
1024 and greater.
Protocol — The SSH protocol that your server uses. We recommend that you change this value to
ListenAddress — The IP address on which the
sshd daemon listens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom DNS entry specifically for the new SSH IP address. To do so, create a zone file (for example,
ssh.example.com) and add an A entry to the zone file for the new nameserver entry.
PermitRootLogin — This option specifies whether you wish to allow people to directly log in to SSH as the
root user. We strongly recommend that you set this value to
Edit the sshd_config file
To configure the
/etc/ssh/sshd_config file in order to tighten your server’s security, perform the following steps:
For CentOS 7, CloudLinux 7, and RHEL 7 firewall management, we recommend that you manage your server’s firewall with the
/etc/firewalld/services/cpanel.xml file. You can read more about this file in our How to Configure Your Firewall for cPanel Services documentation.
Log in to your server as the
root user via SSH. If your server does not allow direct
root logins to SSH, log in as your wheel user and use the
su command to become the
Back up the
sshd_config file with the following command:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak`date +%F`
/etc/ssh/sshd_config file with a text editor.
To change a parameter in the
sshd_config file, uncomment the line that contains the parameter. To do this, remove the number-sign character (
#) and change the value for the line.
For example, the default SSH port appears in a line similar to the following example:
To change the SSH port to
If you change the default SSH port, you must update your server’s firewall configuration to allow traffic to the new port. For more information about firewall configuration, read our How to Configure Your Firewall for cPanel Services documentation.
456, edit that line to resemble the following example:
After you configure SSH, run the
/scripts/restart_sshd script or the
service sshd restart command to restart the SSH daemon.
After you restart SSH, log out of your server and log in again with the user, IP address, and port number that you specified in the
If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where
example.com represents the server’s hostname or main IP address):
This script attempt to will temporarily configure an additional SSH configuration file for port
22, which will allow you to access, edit, and fix the original SSH configuration file. If another service or daemon uses port
22, the script will configure an additional SSH configuration file for port
Example sshd_config File
Do not copy the the example file below and attempt to use it on your server. It will break your SSH service configuration. This file is only an example.
Click to view...
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
# The default requires explicit activation of protocol 1
# HostKey for protocol version 1
# HostKeys for protocol version 2
# Lifetime and size of ephemeral version 1 server key
# Ciphers and keying
#RekeyLimit default none
# obsoletes QuietMode and FascistLogging
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# Don't read the user's ~/.rhosts and ~/.shosts files
# To disable tunneled clear text passwords, change to no here!
# Change to no to disable s/key passwords
# Kerberos options
# GSSAPI options
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
UsePrivilegeSeparation sandbox # Default for new installations.
# no default banner path
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server