Billysoft Academy

How to secure OpenSSH Server On Arch Linux

Introduction

OpenSSH is a secure shell protocol that provides a secure channel over an unsecured network. It allows the system administrator to manage Linux servers remotely over a secure channel. It works on a client-server architecture and allows users to connect to the SSH server remotely. Unlike unsecured protocols, SSH encrypts the traffic, login sessions, and passwords. OpenSSH is one of the most popular and widely used protocols. In this tutorial, we will show you how to secure an SSH server on Arch Linux.

Step 1 – Update the Repository Mirror List

Arch Linux’s default mirror list can often be outdated, which might slow down package downloads or cause issues. To ensure faster and more reliable updates, you’ll need to manually configure a fresh mirror list.

nano /etc/pacman.d/mirrorlist

Clear all existing entries and replace them with the following:

## Score: 0.7, United States
Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.8, United States
Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
Server = http://mirror.nl.leaseweb.net/archlinux/$repo/os/$arch
## Score: 0.9, United Kingdom
Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch
## Score: 1.5, United Kingdom
Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch
Server = http://archlinux.dcc.fc.up.pt/$repo/os/$arch
## Score: 6.6, United States
Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
## Score: 6.7, United States
Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
## Score: 6.8, United States
Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
## Score: 7.1, India
Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch
## Score: 10.1, United States
Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch
pacman -Syu

Step 2 – Change the Default SSH Port

SSH runs on port 22 by default, making it a common target for automated attacks. Changing this port helps reduce exposure.

nano /etc/ssh/sshd_config

Find:

Port 22

Replace with:

Port 8087
systemctl restart sshd

Step 3 – Disable Root Login via SSH

To reduce the risk of compromise, it’s strongly recommended to prevent direct SSH access to the root account.

nano /etc/ssh/sshd_config

Find:

#PermitRootLogin prohibit-password

Replace with:

PermitRootLogin no
systemctl restart sshd

Step 4 – Restrict SSH Access to Specific Users

Limit SSH access to a select list of users for added security.

nano /etc/ssh/sshd_config

Add:

AllowUsers user1 user2 user3
systemctl restart sshd

Step 5 – Enable SSH Key Authentication

Using key-based authentication is more secure than passwords. To enable it:

nano /etc/ssh/sshd_config

Ensure this line is set:

PubkeyAuthentication yes
systemctl restart sshd

Step 6 – Disable Password Authentication

Once key-based login is in place, it’s best to turn off password-based logins entirely.

nano /etc/ssh/sshd_config

Find and update:

PasswordAuthentication no
systemctl restart sshd

Conclusion

By following these steps, you’ve significantly improved the security of your SSH server on Arch Linux. From updating repositories to enforcing key-based login and restricting access, this guide lays a strong foundation for a secure remote management environment.

Scroll to Top