loading...

Top 10 Tips to Secure SSH Your Server

sunil profile image Sunil ・4 min read

Secure SSH Server

The SSH protocol is a secure method to remote login one server to another server. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to other protocol like telnet and file transfer protocol FTP.

Locate SSH server configuration file-
All the changes we are going to discuss will be done in SSH configuration file. This file can be found at /etc/ssh/ssh_config

open this config file using-

sudo nano /etc/ssh/ssh_config

1. Use a different port than 22

22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.

To change the default port change the following line(here we are using port 221 instead of port 22).

Port 221

2. Use Protocol SSH 2 only

The earlier protocol SSH 1 contains many security vulnerabilities. so you should be using SSH 2 instead of SSH 1. SSH 2 should be set to 2 by default. If not you can change using

Protocol 2

3. Disable Direct root login

Allowing direct root login is one of the most dangerous security hole you can have. No server should be allowed to direct root login through SSH.

To disable direct root login change PermitRootLogin to no from yes

PermitRootLogin no

If you really need to log in as root you can add a primary user to login first and you can log in as a root user

to add a user

useradd peter
passwd peter

this is an example. I highly recommend using a very strong password.

Once you login to user peter you can switch to root user by using

su -

4. Use public_keys instead of passwords

There are 2 ways to login to an SSH server- using a password or public/private keys. You should be using public keys to login to SSH server security. You can use this link to configure SSH login without a password.

After ensuring your key based login is working properly you can disable password based login using

PasswordAuthentication no

5. Enable two-factor authentication

You should enable two-factor authentication on your SSH server to make it more secure. So if someone tries to brute force your server, can be blocked by 2-factor authentication.

Google authenticator is one of the most trustworthy and widely used authenticators. You can enable Google authentication on your server using this link.

Execute a PHP file on Remote Server Using SSH

6. Disable Empty Passwords

You should not allow remote login with an empty password. if you allow login with empty password your server is more vulnerable to the brute-force attack.

To disable empty password login set

PermitEmptyPasswords no

7. Use strong passwords and passphrase for ssh users/keys

Most of the server got attacked because of the weak password. They use easy to guess password like the brand name or some universal password like 123456 or qwerty. Weak password is more likely to cracked by brute-force attacks.

You should be using a very strong password and passphrase to log in your SSH server.

8. Configure Idle Timeout Interval

To avoid having an unattended SSH session, you can set an Idle timeout interval.

ClientAliveInterval 360
ClientAliveCountMax 0

The idle timeout interval you are setting is in seconds (360 secs = 6 minutes). Once the interval has passed, the idle user will be automatically logged out.

Execute a PHP file on Remote Server Using SSH

9. Disable port forwarding

Hackers can use port forwarding technique to tunnel network connections through an SSH session to login into systems.

To disable port forwarding –

AllowTcpForwarding no
X11Forwarding no

10. Restrict SSH logins to specific IP addresses

By default, SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a connection from a specific IP address, you can add a ListenAddress line.

For example, if you want to only accept SSH connections from IP address 192.168.1.2 you would add the line:

ListenAddress 192.168.7.2

Restart SSH server
After making any changes to sshd_config file do not forget to restart the SSH server.

sudo service ssh restart

Reference - Secure SSH Server

Conclusion

By making these changes your server will be secure than most of the server and will not be easy for attackers to walk into your server.

Discussion

pic
Editor guide
Collapse
michafrombonn profile image
Michael K.

Thanks for your post. I agree with most of the stated points. But I'm actualy not a big fan of °1 (changing the default port) for a couple of reasons:

1) In an environment with firewalls filtering inbound and outbound traffic it will be quite unlikely, that a random and non-standard port is going to be reachable right from the beginning. This means you have to wait for additional ports being opened by the net team after you've had been filling out long forms for this security change, as they are common in corporate environment.

2) In bigger organizations where different staff is setting up systems and using them afterwards the use of non-standard ports will cause more confusion than benefit.

3) Many ssh based tools (such as ansible, fabric, ...) and even the normal linux/unix ssh client will need additional configuration parameters such an an added "-p 221". The worst case would be to find an application which lacks of this particular option and is not usable anymore.

4) It is not adding up real security; it's more a variant of Security trough obscurity (stackoverflow.com/questions/533965...) and every portscan is going the ssh banner on port 221. For a brute force protection, I like the Fail2ban approach, sergi mentioned beforehand.

Collapse
sergivb01 profile image
sergi

What about Fail2Ban?

Collapse
sunil profile image
Sunil Author

this is also an awesome tool to prevent from the brute-force attacks.

Collapse
yogeswaran79 profile image
Yogeswaran

Hey there! I shared your article here t.me/theprogrammersclub and check out the group if you haven't already!