How to hide the SSH daemon

Secure Shell (SSH) is a network protocol that provides network services such as remote command-line logins and data communications. It creates a secure channel between a client and a server that are running their respective SSH daemons from a particular port. However, an open SSH port represents a vulnerability that malicious users potentially could exploit to gain access to an SSH server. A system administrator can configure a firewall to hide the SSH daemon from unauthorized users, while allowing authorized users to connect to the server with SSH. This example uses iptables to configure the firewall, which is installed by default on a CentOS system.

DIFFICULTY Basic - 1 | Medium - 2 | Advanced - 3
TIME REQUIRED 5 min
RELATED PRODUCTS Linux-based VPS or dedicated servers

Here is a quick tutorial on how to hide the SSH daemon.

Show that the SSH daemon is currently visible

Enter the SSH command that will connect to the server. This example connects to the server at IP address 127.0.01 with the root user name:

# ssh root@127.0.0.1

Enter the password when prompted to ensure the connection has been made to the server. exit out of this session to return to the client.

Configure the firewall to block most traffic

Flush the existing rules for the firewall with this command:

# iptables –F

This rule tells the firewall to accept traffic from a connection that's already been established. Otherwise the firewall would block the current SSH session.

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The firewall must allow persistent services that must always be running and visible to the users. For example, this command allows traffic to a website that's being service on port 80, which is the default port for web servers:

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Use this command to block all connections that aren't specifically allowed:

# iptables -A INPUT -j DROP

Show that the SSH daemon is now hidden

Confirm that the SSH port is now closed by attempting to connect to the server again:

# ssh root@127.0.0.1

The above SSH command will eventually timeout as shown by the following screenshot:


Помогла ли вам эта статья?
Благодарим вас за отзыв. Чтобы связаться с сотрудником службы поддержки клиентов, позвоните по номеру этой службы или воспользуйтесь опцией чата выше.
Мы рады вам помочь! У вас остались вопросы?
Приносим извинения. Расскажите нам, какие затруднения вы испытываете или почему рекомендованное решение не помогло устранить проблему.