The SSH protocol is a secure method to remote login one server to another server. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to other protocol like telnet and file transfer protocol FTP.
Locate SSH server configuration file-
All the changes we are going to discuss will be done in SSH configuration file. This file can be found at /etc/ssh/ssh_config
open this config file using-
sudo nano /etc/ssh/ssh_config
1. Use a different port than 22
22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.
To change the default port change the following line(here we are using port 221 instead of port 22).
Port 221
2. Use Protocol SSH 2 only
The earlier protocol SSH 1 contains many security vulnerabilities. so you should be using SSH 2 instead of SSH 1. SSH 2 should be set to 2 by default. If not you can change using
Protocol 2
3. Disable Direct root login
Allowing direct root login is one of the most dangerous security hole you can have. No server should be allowed to direct root login through SSH.
To disable direct root login change PermitRootLogin to no from yes
PermitRootLogin no
If you really need to log in as root you can add a primary user to login first and you can log in as a root user
to add a user
useradd peter passwd peter
this is an example. I highly recommend using a very strong password.
Once you login to user peter you can switch to root user by using
su -
4. Use public_keys instead of passwords
There are 2 ways to login to an SSH server- using a password or public/private keys. You should be using public keys to login to SSH server security. You can use this link to configure SSH login without a password.
After ensuring your key based login is working properly you can disable password based login using
PasswordAuthentication no
5. Enable two-factor authentication
You should enable two-factor authentication on your SSH server to make it more secure. So if someone tries to brute force your server, can be blocked by 2-factor authentication.
Google authenticator is one of the most trustworthy and widely used authenticators. You can enable Google authentication on your server using this link.
Execute a PHP file on Remote Server Using SSH
6. Disable Empty Passwords
You should not allow remote login with an empty password. if you allow login with empty password your server is more vulnerable to the brute-force attack.
To disable empty password login set
PermitEmptyPasswords no
7. Use strong passwords and passphrase for ssh users/keys
Most of the server got attacked because of the weak password. They use easy to guess password like the brand name or some universal password like 123456 or qwerty. Weak password is more likely to cracked by brute-force attacks.
You should be using a very strong password and passphrase to log in your SSH server.
8. Configure Idle Timeout Interval
To avoid having an unattended SSH session, you can set an Idle timeout interval.
ClientAliveInterval 360 ClientAliveCountMax 0
The idle timeout interval you are setting is in seconds (360 secs = 6 minutes). Once the interval has passed, the idle user will be automatically logged out.
Execute a PHP file on Remote Server Using SSH
9. Disable port forwarding
Hackers can use port forwarding technique to tunnel network connections through an SSH session to login into systems.
To disable port forwarding –
AllowTcpForwarding no X11Forwarding no
10. Restrict SSH logins to specific IP addresses
By default, SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a connection from a specific IP address, you can add a ListenAddress line.
For example, if you want to only accept SSH connections from IP address 192.168.1.2 you would add the line:
ListenAddress 192.168.7.2
Restart SSH server
After making any changes to sshd_config file do not forget to restart the SSH server.
sudo service ssh restart
Reference - Secure SSH Server
Conclusion
By making these changes your server will be secure than most of the server and will not be easy for attackers to walk into your server.
Top comments (4)
Thanks for your post. I agree with most of the stated points. But I'm actualy not a big fan of °1 (changing the default port) for a couple of reasons:
1) In an environment with firewalls filtering inbound and outbound traffic it will be quite unlikely, that a random and non-standard port is going to be reachable right from the beginning. This means you have to wait for additional ports being opened by the net team after you've had been filling out long forms for this security change, as they are common in corporate environment.
2) In bigger organizations where different staff is setting up systems and using them afterwards the use of non-standard ports will cause more confusion than benefit.
3) Many ssh based tools (such as ansible, fabric, ...) and even the normal linux/unix ssh client will need additional configuration parameters such an an added "-p 221". The worst case would be to find an application which lacks of this particular option and is not usable anymore.
4) It is not adding up real security; it's more a variant of Security trough obscurity (stackoverflow.com/questions/533965...) and every portscan is going the ssh banner on port 221. For a brute force protection, I like the Fail2ban approach, sergi mentioned beforehand.
What about Fail2Ban?
this is also an awesome tool to prevent from the brute-force attacks.
Hey there! I shared your article here t.me/theprogrammersclub and check out the group if you haven't already!