5 Basic SSH Security Tips

brute force detection chroot jail passwords root Secure Shell security ssh Timeout Interval

July 20th, 2011 By:

SSH (Secure Shell) is designed with security in mind.  In the old days, people often used Telnet to connect to their servers, but that was back when servers were down the hall, not over the vast expanse of the uncharted Internet.  SSH adds a layer of encryption to the transmission, ensuring that you can connect to your dedicated server or virtual private server (VPS) without the risk of having your password intercepted.

Although SSH is more secure than most Internet protocols by default, you can still do more to make it even more secure.  The following are five tips for SSH security bliss.

1. Restrict Root logins.  There is no reason, under normal circumstances, to allow direct root logins to your server.   The system administrator can become root once logged in (using su or sudo), but there is no reason to risk having your root account directly exposed to the Internet.  With root logins restricted, attackers will not easily gain access, even if they manage to find out the password.

2. Jail users in chroot directories. Linux and Unix servers have permissions in place to prevent a normal user from doing something crazy, like deleting all the files in /etc, but nothing prevents them from seeing those files.  Using chroot, you can restrict users to their own /home directories.

3. Install Brute Force Detection software.  Attackers use brute force techniques to find out your password and do naughty things with your server.  Good brute force detection software can neutralize attempts as soon as they start.

4. Require secure passwords and periodic rotations.  As the sysadmin, you can set password strength requirements and also require users to periodically change their passwords.

5. Set the Timeout Interval.  One very useful feature in the SSH configuration file is the ability to set  a timeout interval so that users do not stay logged in, even when they forget to logout.  This keeps things tidy and prevents people from sneaking into always-logged-in user accounts.


We have multiple locations for DDoS Mitigation, which allows clients to have lowest latency and prefences as well. Depending on the size and type of the attack, locations can be changed or combined to handle large or complex attacks