This document lists several helpful changes that you can make to your server to improve SSH security. We strongly recommend that you restrict and properly configure Secure Shell (SSH) access in order to secure your server.
Be careful with whom you grant SSH access
If a user does not need SSH access, do not grant them access. To remove a user's SSH access, use WHM's Manage Shell Access interface (WHM >> Home >> Account Functions >> Manage Shell Access).
Some users may need SSH access, but only need access to files in their
home directory. We recommend that you assign a jailed shell environment to these users. For more information about jailed shells, read our VirtFS - Jailed Shell documentation.
Set an SSH Legal Message
The system can display an SSH legal message (message of the day, or
motd) whenever someone logs in to your server through SSH.
To set the message, use your preferred text editor to edit the
/etc/motd file and save your changes. For example, one of our technical analysts uses the following message:
Use SSH Keys
You can disable password authentication for SSH on your server, which will force users to log in through SSH with keys instead of passwords.
To do this, perform the following:
- Use WHM's Manage root's SSH Keys interface (WHM >> Home >> Security Center >> Manage root's SSH Keys) to generate and download a key for the root user.
- Use WHM's SSH Password Authorization Tweak interface (WHM >> Home >> Security Center >> SSH Password Authorization Tweak) to disable password authentication for SSH.
Strengthen SSH security
/etc/ssh/sshd_config file contains your server's configuration settings for SSH.
We recommend that you change the following settings:
Port— The port number on which the
sshddaemon listens for connections. The highest acceptable value is
We recommend that you use a privileged port of
1023that another service does not not currently use. Only the
rootuser can bind to ports
1023. Anyone can use the unprivileged ports of
Protocol— The SSH protocol that your server uses. We recommend that you change this value to
ListenAddress— The IP address on which the
sshddaemon listens for connections. Your server must own this IP address. We strongly recommend that you do not use your main shared IP address for this value. You can create a custom DNS entry specifically for the new SSH IP address. To do so, create a zone file (for example,
ssh.example.com) and add an A entry to the zone file for the new nameserver entry.
PermitRootLogin— This option specifies whether you wish to allow people to directly log in to SSH as the
rootuser. We strongly recommend that you set this value to
To configure the
/etc/ssh/sshd_config file in order to tighten your server's security, perform the following steps:
For CentOS 7, CloudLinux 7, and RHEL 7 firewall management, we recommend that you manage your server's firewall with the
/etc/firewalld/services/cpanel.xml file. You can read more about this file in our How to Configure Your Firewall for cPanel Services documentation.
- Log in to your server as the
rootuser via SSH.
If your server does not allow direct
rootlogins to SSH, log in as your wheel user and use the
sucommand to become the
rootuser. For example:
Back up the
sshd_configfile with the following command:
- Open the
/etc/ssh/sshd_configfile with a text editor.
To change a parameter in the
sshd_configfile, uncomment the line that contains the parameter. To do this, remove the number-sign character (
#) and change the value for the line.
If you change the default SSH port, you must update your server's firewall configuration to allow traffic to the new port. For more information about firewall configuration, read our How to Configure Your Firewall for cPanel Services documentation.
For example, the default SSH port appears in a line similar to the following example:
To change the SSH port to
456, edit that line to resemble the following example:
After you configure SSH, run the
/scripts/restart_sshd script or the
sshd restart command to restart the SSH daemon.
After you restart SSH, log out of your server and log in again with the user, IP address, and port number that you specified in the
If you accidentally misconfigure your SSH configuration file, navigate to the following link in your web browser (where
example.com represents the server's hostname or main IP address):
This script attempt to will temporarily configure an additional SSH configuration file for port
22, which will allow you to access, edit, and fix the original SSH configuration file. If another service or daemon uses port 22, the script will configure an additional SSH configuration file for port
Do not copy the the example file below and attempt to use it on your server. It will break your SSH service configuration. This file is only an example.