Help Center

Elastic Cloud Server

Product Overview
User Guide
Subscription Guide
Beginner's Guide
Quick Start
ECS Instance
Monitoring the Cloud Server
Best Practices
Troubleshooting
FAQs
Agreements

Security Hardening for SSH Login on Linux Servers

2025-11-26 06:26:02

SSH is the main way to remotely log in to Linux servers, but it is also one of the main entry points for hackers to carry out brute force and malicious attacks. To enhance the SSH login security of Linux cloud server, you can use the following methods

· Modify the default port

· Disable root user from logging in directly

· Add a security group rule

· Log in with a key

· Configure SSH login restrictions

Let's take CentOS as an example to show you how to reinforce the security.

Modify the default port

1. Remote login to Elastic Cloud Server.

2. Open the sshd configuration file /etc/ssh/sshd_config, which can be opened in the editor, for example, using the vi command:

vi /etc/ssh/sshd_config

1. Find the following line of code:

#Port 22

Remove the comment symbol # from this line of code and change 22 to the port number you want to set, such as 2222:

Port 2222

1. Press ESC, enter :wq to save the changes and exit the editor.

2. Restart the sshd service for the configuration to take effect. The sshd service can be restarted using the following command:

systemctl restart sshd

1. Check whether the changes take effect. You can use the following command to check whether the sshd service is listening on the new port:

netstat -tnl | grep 2222

If the output is similar to the following, then the sshd service is already listening on the new port 2222:

tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN

1. After completing the above steps, the default SSH port number of the CentOS system is successfully changed to 2222. Note that after changing the default SSH port number, you need to use the new port number for SSH connections, for example:

ssh username@hostname -p 2222

where username and hostname are the SSH login username and remote hostname or IP address, respectively.

Disable root user from logging in directly

The default administrator name of Linux is root, and you only need to know the ROOT password to log in to SSH directly. Disabling Root from logging in directly from SSH can improve the security of server. This can be achieved by doing the following.

1. New user

useradd test

1. Configure password

#Use the passwd command to set or change the password for the account.

passwd test

#According to the diagram, you need to fill in twice to set or change the password. The second time is the validation password, press Enter to confirm after entering.

Changing password for user test.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

1. The configuration does not allow root users to log in directly and modify related files

vi /etc/ssh/sshd_config

Locate #PermitRootLogin yes" which defaults to line 132

Delete "#" and change "Yes" to "No" at the end.

Type: wq to save

1. Restart the SSHD service

systemctl restart sshd

1. Test the connection, you can see that connecting directly to the server using root is rejected by ssh:

Add a security group rule

The inbound rule in the security group has port 22 enabled by default. When the SSH login port of the cloud server is changed to 2222, you need to add a new rule for the security group.

Log in to the console.

1. Select Computing > Elastic Cloud Server to enter the cloud server console.

2. Click the cloud server name to enter the details page.

3. Select the "Security Group" tab, click to expand the security group rule details, and click Change Security Group Rules in the upper right corner of the list.

4. Add an inbound rule.

Log in with a key

Key pair login is more secure than password login, so you can choose the key pair login method when creating an ECS.

1. Create a new key pair, or select an existing key pair and download it locally.

1. When creating a cloud server, select a key pair as the login method.

1. Log in to the ECS with xshell.

Execute the following command through Elastic IP to remotely connect to ECS via SSH.

ssh username@elastic IP

Select Public Key and click Browse in the User Key(K) column.

In the User Key window, click Import.

Select the locally saved key file and click Open.

Click OK to log in to the ECS.

Configure SSH login restrictions

"/etc/hosts.allow" and "/etc/hosts.deny" are the files that control remote access. By configuring these files, clients of an IP or IP segment can be allowed or denied access to the service of Linux Cloud Server.

For example, if the SSH service is usually only available to administrators, then we can disable unnecessary IPs and only open IP segments that administrators may use.

Since the cloud server needs to log in from different locations, it is recommended to edit "/etc/hosts.allow" to allow all IP addresses to log in, which will not affect the normal use.

vim /etc/hosts.allow

Add sshd:ALL to the last line.

You can also identify the security risks of cloud server by some methods, and use tail -f /var/log/secure to open the SSH log to view the IP suspected of malicious login.

Then disable these addresses in "/etc/hosts.deny".


The previous article -  Security Group Best Practices for ECS (Inbound Rules)
The next article -  Virtual IP Configuration for Cloud Servers
ehJAsWbH8yTZ