Loading...

VONDS ©

Lab 63: Configure and Secure SSH

Lab Index

Harden SSH access by applying baseline daemon configuration controls and validating that the service is listening on the expected port. Use the results to reduce exposure (root login), enforce modern protocol behavior, and confirm the change took effect at the socket level.

security ssh hardening

Scenario

You are tasked with hardening SSH access on a production server. You will update /etc/ssh/sshd_config to disable direct root login, ensure the server uses SSH protocol version 2, and move the listener to a non-default port for basic noise reduction. After applying the changes, you will restart the service and verify the listener is active on port 2222.

Operator context

SSH hardening should be applied carefully. In real environments you typically validate the configuration syntax, ensure firewall rules are aligned with the new listener port, and keep an active session open until the new access path is verified. This lab focuses on the core daemon settings and post-change verification.

Objective

  • Open /etc/ssh/sshd_config for editing.
  • Disable direct root login using PermitRootLogin no.
  • Ensure SSH protocol version 2 is enforced.
  • Change the SSH listening port to 2222.
  • Restart the SSH daemon and verify it is listening on the new port.

What You’ll Practice

  • Editing sshd_config safely and applying focused, high-impact directives.
  • Disabling direct root access to reduce credential-risk blast radius.
  • Applying a listener change and validating socket state with ss or netstat.
  • Restarting a systemd-managed service and confirming the change took effect.

Walkthrough

Step 1 : Open the SSH daemon configuration for editing.
Command 
sudo vim /etc/ssh/sshd_config

This file controls SSH daemon policy and listening behavior. Changes take effect after the service is restarted (or reloaded, depending on the change). 

Configuration file opened.
Step 2 : Disable direct root login.
Directive 
PermitRootLogin no

Disabling direct root login forces administrative access to flow through named accounts and privilege escalation, which improves auditability and reduces brute-force payoff. 

Root login disabled.
Step 3 : Enforce SSH protocol version 2.
Directive 
Protocol 2

Protocol 2 is the modern SSH protocol. Enforcing it avoids legacy protocol behavior and ensures consistent client/server negotiation. 

Protocol version set to 2.
Step 4 : Change the SSH listening port to 2222.
Directive 
Port 2222

Moving off the default port can reduce unsolicited scan traffic and credential stuffing noise. It is not a substitute for real access control, but it can reduce operational distraction. 

SSH port changed to 2222.
Step 5 : Restart the SSH service to apply changes.
Command 
sudo systemctl restart sshd

Restarting sshd applies the updated configuration. In production, you typically keep an existing session open until you confirm the new listener is reachable. 

SSH service restarted successfully.
Step 6 : Verify SSH is listening on port 2222.
Command 
ss -tuln | grep 2222

This confirms that the daemon bound successfully to the new port. A listener here is strong evidence the configuration was parsed and applied. 

tcp   LISTEN 0      128          0.0.0.0:2222      0.0.0.0:*
tcp   LISTEN 0      128             [::]:2222         [::]:*

SSH is confirmed to be listening on port 2222.

Reference

  • /etc/ssh/sshd_config : Main SSH daemon configuration file that controls policy and listening behavior.
  • PermitRootLogin no : Disables direct SSH login as the root user.
  • Protocol 2 : Enforces SSH protocol version 2.
  • Port 2222 : Changes the SSH daemon listening port from the default (22) to 2222.
  • systemctl restart sshd : Restarts the SSH daemon to apply configuration changes.
  • ss -tuln : Displays listening sockets for TCP/UDP without name resolution. Use with grep to confirm the bound port.
  • netstat -tuln : Legacy alternative for displaying listening sockets (requires net-tools).