Harden SSH by applying baseline daemon controls and verifying the service is listening on the expected port. Reduce exposure by disabling direct root login, enforcing modern protocol behavior, and confirming the change at the socket level.
You are tasked with hardening SSH access on a production
server. You will update /etc/ssh/sshd_config to
disable direct root login, enforce SSH protocol version 2, and
move the listener to a non-default port for basic noise
reduction. After applying the changes, restart the service and
verify it is listening on port 2222.
SSH changes can lock you out. Keep an active session open until the new access path is verified, and ensure firewall rules align with the updated listener.
/etc/ssh/sshd_config safely.PermitRootLogin no.
2222.sshd and verify it is listening on the
new port.
sshd_config and is
applied on reload/restart.
ss rather than assuming a restart succeeded.
sudo vim /etc/ssh/sshd_configThis file controls SSH daemon policy and listening behavior. Changes take effect after the service is restarted (or reloaded, depending on the change).
PermitRootLogin noDisabling direct root login forces administrative access to flow through named accounts and privilege escalation, which improves auditability and reduces brute-force payoff.
Protocol 2Protocol 2 is the modern SSH protocol. Enforcing it avoids legacy negotiation behavior and keeps client/server expectations consistent.
Port 2222Moving off the default port can reduce unsolicited scan traffic and credential stuffing noise. Treat this as noise reduction, not a security boundary.
Ensure your firewall and any upstream security groups allow
TCP 2222 before you drop your current session.
sudo systemctl restart sshd
Restarting sshd applies the updated configuration.
In production, keep an existing session open until you
confirm the new listener is reachable.
ss -tuln | grep 2222This confirms that the daemon bound successfully to the new port. A listener here is strong evidence the configuration was parsed and applied.
tcp LISTEN 0 128 0.0.0.0:2222 0.0.0.0:*
tcp LISTEN 0 128 [::]:2222 [::]:*
A bad directive or formatting error can prevent
sshd from starting. Fix the config, then retry
the restart while your existing session is still open.
The daemon may still be bound to the old port, or it failed
to bind due to conflicts or policy. Re-check the active
Port directive and restart again.
This is usually a firewall or security group mismatch. Verify
inbound rules for TCP 2222, then confirm the
listener is present on the server with ss.
Confirm PermitRootLogin is not being overridden
by a later directive or included config. Restart the service
after changes.
If this was a temporary hardening exercise, revert the port to
22 and restart sshd so follow-on labs
and tools use the default listener.
sudo vim /etc/ssh/sshd_config
sudo systemctl restart sshd
ss -tuln
shows the expected port bound for SSH, and you can connect
using the intended client command.
vim /etc/ssh/sshd_config
: Opens the SSH daemon configuration file for editing.
/etc/ssh/sshd_config
: Primary SSH daemon configuration file.
PermitRootLogin no
: Disables direct SSH login as the root user.
Protocol 2
: Enforces SSH protocol version 2.
Port 2222
: Changes the SSH daemon listening port.
22
: Default SSH port.
2222
: Non-default port used in this lab.
systemctl restart sshd
: Restarts the SSH daemon to apply configuration changes.
ss -tuln | grep <port>
: Confirms a service is listening on a specific port.
-t
: Shows TCP sockets.
-u
: Shows UDP sockets.
-l
: Shows listening sockets only.
-n
: Disables name resolution (faster and unambiguous).
|
: Pipes output from the left command into the right
command.
grep <port>
: Filters output to the target port (for example
2222
).