How to secure Debian Server 9.X – Disable root login & change SSH port

Now we’ve already setup our SSH keys, we can harden the server even more. If you have not setup SSH keys, please check my other post here

Changing the Port that the SSH Daemon Runs On

I suggest that you change the default port that SSH runs on. This can help decrease the number of authentication attempts your server is subjected to from automated bots.

To change the port that the SSH daemon listens on, you will have to log into your remote server. Open the sshd_config file on the remote system with root privileges, either by logging in with that user or by using sudo:

Once you are inside, you can change the port that SSH runs on by finding the Port 22 specification and modifying it to reflect the port you wish to use. For instance, to change the port to 4444, put this in your file:

Save and close the file when you are finished. To implement the changes, you must restart the SSH daemon.

After the daemon restarts, you will need to authenticate by specifying the port number. We will take a look at how to do this later on.

Limiting the Users Who can Connect Through SSH

To explicitly limit the user accounts who are able to login through SSH, you can take a few different approaches, each of which involve editing the SSH daemon config file.

On your remote server, open this file now with root or sudo privileges:

The first method of specifying the accounts that are allowed to login is using the AllowUsers directive. Search for the AllowUsers directive in the file. If one does not exist, create it anywhere. After the directive, list the user accounts that should be allowed to login through SSH:

Save and close the file. Restart the daemon to implement your changes.

If you are more comfortable with group management, you can use the AllowGroups directive instead. If this is the case, just add a single group that should be allowed SSH access (we will create this group and add members momentarily):

Save and close the file.

Now, you can create a system group (without a home directory) matching the group you specified by typing:

Make sure that you add whatever user accounts you need to this group. This can be done by typing:

Change the username (sammy & brian) with the user you would like to add. Now, restart the SSH daemon to implement your changes.

Disabling Root Login

It is often advisable to completely disable root login through SSH after you have set up an SSH user account that has sudo privileges. Like explained before, if your user gets hacked they won’t have full privileges on the server.

First of all, create a user with sudo privileges. Change the user1 to a user you would like to create.

Then change the usernames password with a password you like.

The output will look like this. If you enter your password, it will not show anything for security reasons.

Disabling root login

To do this, open the SSH daemon configuration file with root or sudo on your remote server.

Inside, search for a directive called PermitRootLogin. If it is commented, uncomment it. Change the value to “no”:

Save and close the file. To implement your changes, restart the SSH daemon.

Conclusion

You should now have secured your SSH good enough so you won’t be hacked.

If you would like to know more about hardening your Linux server, check the next parts.