HOW-TO & PRACTICAL

How can users secure devices with default SSH enabled?

Last updated:

Secure devices with default SSH enabled by changing the default password, disabling root login, using SSH keys instead of passwords, and changing the default SSH port from 22. Additionally, configure a firewall to limit SSH access and keep the system updated with security patches.

Continue in Reels Listen and swipe through more answers in How-To & Practical
Default SSH Port22 (should be changed to a non-standard port like 2222)
Authentication MethodUse SSH key pairs instead of passwords for stronger security
Root AccessDisable direct root login to prevent unauthorized administrative access
Password RequirementsChange all default passwords immediately upon device setup
Access ControlUse firewall rules to restrict SSH access to specific IP addresses

Change Default Credentials

Default usernames and passwords are publicly known and make devices vulnerable to attacks. You must change the default password for any account that can access SSH immediately after setting up the device. Create a strong password with a mix of uppercase letters, lowercase letters, numbers, and special characters. This is the first and most important step in securing SSH access.

Disable Root Login

Root is the administrator account with full system access. Allowing direct root login through SSH gives attackers a direct path to complete system control if they guess or crack the password. Edit the SSH configuration file and set PermitRootLogin to no. This forces users to log in with a regular account first, then use sudo to perform administrative tasks, creating an extra security layer.

Use SSH Keys Instead of Passwords

SSH key pairs (public and private keys) are much more secure than passwords. Generate a key pair on your computer, then place the public key on the device. When connecting, SSH uses the private key to authenticate instead of a password. This prevents password guessing attacks. Disable password authentication entirely by setting PasswordAuthentication to no in the SSH configuration file.

Change the Default SSH Port

SSH runs on port 22 by default, and attackers automatically scan this port looking for vulnerable devices. Change the SSH port to a non-standard number like 2222 or 50022. This reduces automated attacks, though it is not a complete security solution. Update your SSH configuration file and make sure your firewall allows connections on the new port.

Configure Firewall Rules

Use your device's firewall to control who can connect via SSH. Restrict SSH access to only the IP addresses or networks that need it. If you only manage the device from your home or office, limit SSH connections to those locations. This prevents attackers from other parts of the internet from even attempting to connect to your SSH service.

Keep System Updated

Security vulnerabilities are discovered regularly in SSH and other system software. Install security updates and patches as soon as they become available. Many devices allow automatic security updates to be enabled. Regular updates close known security holes that attackers could use to gain unauthorized access to your device.

Sources

  1. openssh.com (openssh.com)
  2. linux.org (linux.org)
  3. nist.gov (nist.gov)
  4. ubuntu.com (ubuntu.com)