The SSH Server module allows for configuration of the Secure Shell Daemon service in ClearOS.
If your system does not have this app available, you can install it via the Marketplace.
You can find this feature in the menu system at the following location:
You can customize the port, whether password authentication to SSH access is allowed, whether or not root is allowed to log in, and whether to allow for TCP forwarding.
The root account is the most sought after and the most common account to try and hack. Disabling root login lets you still log in as regular users but then requires those users to switch user (su) or use privilege escallation (sudo) for all root commands on the system. This is considered best practice and we highly recommend it.
You can give users SSH access using the Shell Extension app.
Changing the port is a good idea because hackers will know to try port 22 for SSH and it is typically the first place they try. If you change the port, be sure to select a port that is not in use by another protocol on the system. (Valid range theoretically range from 0-65535)
By turning off password authentication you tell your system that you will use key based authentication. This is typically considered stronger authentication than passwords.
TCP Forwarding allows you to use SSH as a gateway for other types of network traffic. It is a quasi-VPN and can make certain local traffic appear local to the machine attaching via SSH. If you are not using this, disable it.
If you can avoid it, it is best not to open up external access to SSH. If you require external access, consider if it would be better to use OpenVPN to connect to ClearOS because you can then connect to SSH as if you were connected to the ClearOS LAN.
If you do open up SSH to external access from the internet, please see the Securing SSH in ClearOS - Best Practices Guide and install the Attack Detector app. Also consider using the Intrusion Detection and Intrusion Preventions apps.
A strong password is a must!