How to Configure SSH for Your Website
Secure SHell (SSH) is a network protocol to allow secure data communication. In effect, it is like a web hosted back door into your system — one that should remain locked unless you really need to use it.
Naturally, exactly how you configure SSH is different on every variety of web hosting software, but as an example, here is how to configure it using cPanel.
Decide who, if anyone, will be allowed shell access.
Each control panel handles access slightly differently, but essentially there are three levels of shell access: Disabled, Jailed, or Normal. Disabling shell access for all users effectively means that SSH is unusable on the server. Jailed shell access allows users access but only to areas of the system. Normal shell access allows full SSH access to the server to that user. Here is how to configure access in cPanel.
Log in to WHM (if you do not have access to WHM, ask your host to enable shell access for your user).
Scroll down on the left-hand side to Account Functions, under which you click Manage Shell Access.
Select for each user on the system whether they will have normal shell access (SSH), jailed shell access, or disabled shell access.
Do not assume that because shell access has been disabled for all users that it is completely unusable. Although it is an effective method for denying users access to SSH, a skilled hacker may still be able to sidestep this restriction. As with any security measure, this should only be used as one of a set of security measures on your server.
Decide which IP addresses will be allowed to connect via SSH.
Most control panels enable you to allow access only to certain IP addresses. This adds another layer of security, but it is not foolproof. To allow SSH access to only certain IP addresses in cPanel, do the following:
In WHM, scroll up to the Security Center and click Host Access Control.
Here you can allow or deny specific IP addresses access to any of the services on the server.
Type SSHD in the box labeled Daemon.
Under access list, type the IP addresses which are allowed access.
You can enter multiple IP addresses or just one. Find your IP address at www.whatsmyip.org.
In the first action box, type allow.
On the next line, type SSHD as the daemon, all in the access list and deny in the action.
When a user requests access, the server checks their IP address and then starts at the top of the list to see whether that IP address is specified or not. If it is, it performs the action associated with that IP.
If it does not find the IP address listed, it will move down the list searching every line for that IP address until it reaches a line that includes the word all. At that point it will do whatever the all line commands. That way, you can essentially tell the server to allow access to specific IP addresses but then deny it to all others.
Still under the Security Center, click SSH Password Authentication Tweak.
Now decide whether or not you wish to allow access via username and password or whether all allowed users will be required to use a username and key combination. The screen will tell you whether or not password authentication is currently enabled, and if it is you can click the Disable Password Auth button to disable it and vice versa.
Whether or not you have SSH password authentication enabled, you can still generate keys and use those to connect.
This is a more secure method of connecting. To set the key for the root user in WHM under the Security Center, click Manage root’s SSH Keys. In here you can generate a new key. Other users must generate their own keys by logging in to cPanel as the user and under the Security section clicking SSH/Shell Access.