Modified SSH Configuration

A Debian-first guide to reviewing unexpected SSH daemon changes, identifying weakened access controls, and restoring secure remote access settings.

What this is

Modified SSH configuration refers to unauthorized or unsafe changes to the SSH daemon configuration that weaken access controls, broaden exposure, or support persistence. SSH is a high-value target because it directly controls remote administrative access.

Even small changes, such as enabling password authentication or allowing root login, can significantly increase risk.

What it looks like

Password authentication re-enabled unexpectedly
Root login allowed without a valid reason
Unusual listen addresses or port changes
Authentication settings that no longer match your intended hardening

Detect

Review the SSH daemon configuration

sudo cat /etc/ssh/sshd_config

Check key security-related directives

sudo grep -Ei "PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|AllowUsers|Port|ListenAddress" /etc/ssh/sshd_config

Validate the configuration syntax

sudo sshd -t

Review auth logs for SSH-related changes or access activity

sudo grep -Ei "sshd|Accepted|Failed|sudo|COMMAND" /var/log/auth.log

Check file metadata for the configuration

sudo ls -lah /etc/ssh/sshd_config

Contain

Restore secure SSH settings

sudo nano /etc/ssh/sshd_config

Disable password authentication if not needed

PasswordAuthentication no

Disallow root login if not required

PermitRootLogin no

Restart SSH after validation

sudo sshd -t
sudo systemctl restart ssh

Recover

Review whether the changed configuration led to successful access

sudo grep -Ei "Accepted password|Accepted publickey|session opened" /var/log/auth.log

Review authorized keys for root and users

sudo find /home /root -name authorized_keys -type f -exec ls -lah {} \; -exec cat {} \;

Check for related persistence or admin changes

cut -d: -f1 /etc/passwd
getent group sudo
sudo systemctl list-unit-files --type=service
sudo find /etc/cron* -type f

Recovery means restoring intended SSH settings and confirming that no unauthorized access, key changes, or follow-on persistence occurred.

Prevent

Option 1 — Use SSH keys instead of passwords

ssh-copy-id user@server_ip

Option 2 — Keep password login disabled where possible

PasswordAuthentication no

Option 3 — Restrict SSH access to trusted IPs

sudo ufw allow from <trusted_ip> to any port 22
sudo ufw deny 22

Option 4 — Review SSH config after maintenance or suspicious activity

sudo grep -Ei "PermitRootLogin|PasswordAuthentication|AllowUsers|Port" /etc/ssh/sshd_config

Option 5 — Monitor auth logs regularly

sudo grep -Ei "sshd|Accepted|Failed" /var/log/auth.log

Optional Tools & Hosting

Manual SSH review should come first. Future recommendations may include tools that simplify secure remote access, but the primary recommendation is still tight Debian-side SSH configuration and restricted exposure.

Notes

SSH config changes can quietly turn a hardened system back into an easy target.
Enabling password authentication and root login together is especially risky.
Always validate the config before restarting SSH.

Environment Note

All commands shown are based on Debian-based systems unless otherwise noted.