The SSH protocol is a secure method to remote login one server to another server. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to other protocol like telnet and file transfer protocol FTP.
Locate SSH server configuration file-
All the changes we are going to discuss will be done in SSH configuration file. This file can be found at /etc/ssh/ssh_config
open this config file using-
sudo nano /etc/ssh/ssh_config
1. Use a different port than 22
22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.
To change the default port change the following line(here we are using port 221 instead of port 22).
2. Use Protocol SSH 2 only
The earlier protocol SSH 1 contains many security vulnerabilities. so you should be using SSH 2 instead of SSH 1. SSH 2 should be set to 2 by default. If not you can change using
3. Disable Direct root login
Allowing direct root login is one of the most dangerous security hole you can have. No server should be allowed to direct root login through SSH.
To disable direct root login change PermitRootLogin to no from yes
If you really need to log in as root you can add a primary user to login first and you can log in as a root user
to add a user
useradd peter passwd peter
this is an example. I highly recommend using a very strong password.
Once you login to user peter you can switch to root user by using
4. Use public_keys instead of passwords
There are 2 ways to login to an SSH server- using a password or public/private keys. You should be using public keys to login to SSH server security. You can use this link to configure SSH login without a password.
After ensuring your key based login is working properly you can disable password based login using
5. Enable two-factor authentication
You should enable two-factor authentication on your SSH server to make it more secure. So if someone tries to brute force your server, can be blocked by 2-factor authentication.
Google authenticator is one of the most trustworthy and widely used authenticators. You can enable Google authentication on your server using this link.
6. Disable Empty Passwords
You should not allow remote login with an empty password. if you allow login with empty password your server is more vulnerable to the brute-force attack.
To disable empty password login set
7. Use strong passwords and passphrase for ssh users/keys
Most of the server got attacked because of the weak password. They use easy to guess password like the brand name or some universal password like 123456 or qwerty. Weak password is more likely to cracked by brute-force attacks.
You should be using a very strong password and passphrase to log in your SSH server.
8. Configure Idle Timeout Interval
To avoid having an unattended SSH session, you can set an Idle timeout interval.
ClientAliveInterval 360 ClientAliveCountMax 0
The idle timeout interval you are setting is in seconds (360 secs = 6 minutes). Once the interval has passed, the idle user will be automatically logged out.
Execute a PHP file on Remote Server Using SSH
9. Disable port forwarding
Hackers can use port forwarding technique to tunnel network connections through an SSH session to login into systems.
To disable port forwarding –
AllowTcpForwarding no X11Forwarding no
10. Restrict SSH logins to specific IP addresses
By default, SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a connection from a specific IP address, you can add a ListenAddress line.
For example, if you want to only accept SSH connections from IP address 192.168.1.2 you would add the line:
Restart SSH server
After making any changes to sshd_config file do not forget to restart the SSH server.
sudo service ssh restart
Reference - Secure SSH Server
By making these changes your server will be secure than most of the server and will not be easy for attackers to walk into your server.