10 Best Ways to Secure Your SSH Server



SSH refers to Secure Shells that helps in operating network services like remote login to the server, file transfer, and other servers related operation securely over an insecure or secure network.

The SSH default configuration is not enough to harden the SSH channel; we need to configure the additional setting to enhance its security at full.

Here at LinuxReels, as part of our Server Management Services, we regularly help our Customers to perform related SSH queries.

In this context, we shall look into different methods of securing your ssh server.


How to Disable Root Login Over SSH Server ?

As the root user has access to the entire services in the server and it's better not to risk the system allowing remote root login. It might be way too vulnerable if the password is exposed while using a brute-force attack or other hacking tool. So it is best practice to disable remote root login and stick with the regular user.

To disable the remote root login, open the sshd_config file:

$ sudo vim /etc/ssh/sshd_config

Then, set "PermitRootLogin" to no

This will Disable ssh root user login.


How to Disable Empty Password ?

Some Linux distributions will create users without passwords so it might be vulnerable to permit ssh connection with empty passwords for remote access. So in order to disable this service we need to set "PermitEmptyPasswords" to no in the sshd_config file:

PermitEmptyPasswords no

This will Disable empty password login.


How to Use Public Key Based Authentication Across SSH Protocol ?

It is highly recommended to use public key-based authentication as the SSH server supports different authentication processes. The hacker attempts different hacking tools to crack down the password using various methods like brute force attack. To prevent it from happening we use public key-based authentication.

First, we need to generate a public key and private key using the ssh-keygen command. To generate the key execute the following command. In the process you will be asked where to generate the ssh key, hit enter if you want to continue with the default. Then you will be asked a passphrase that refers to the password to your ssh key, uses a strong password that is the composition of a special character, alphabet, and numbers. Once the password is set your ssh key will be generated on .ssh dir in your home directory:

$ ssh-keygen -t rsa

This will generate ssh key pairs.

Before uploading public key, make sure you have .ssh dir in your remote server if not create one in your home dir then upload your public ssh key to the server using the following command:

$ cat .ssh/id_rsa.pub | ssh ubuntu@server 'cat >> .ssh/authorized_keys'

This will upload the public key to the server.

Now you can login as user ubuntu using public key over ssh protocol.


How to Disable SSH Login Authentication With Password ?

It is highly recommended to use ssh public key authentication for remote access to the server as passwords can be exposed through brute force attacks if a strong password is not used. To disable password authentication from the SSH server set the "PasswordAuthentication" value to no:

PasswordAuthentication no


How to Change SSH Default Port 22 ?

By default, SSH runs on port 22 in the system. If we change the SSH standard port it might add an extra layer of security by avoiding unusual traffic to the open port. So, to change the port no simple, open the sshd_config file and set your desirable unused port number in the port section.


How to Limit Users Login Access Using SSH ?

The SSH server allows all the users to the server remotely but we can override the default setting and set only specific users to allow or deny remote access over SSH protocol. In a simple way having remote access to all system users login creating a possible way for the hacker to access our system.

To allow the specific users to login over SSH, add the following line in the sshd_config.

AllowUsers user1 user2 ubuntu

And similarly, you can restrict specific user and allow other to access over SSH by adding the following line of code.

DenyUsers root user3 user4


How to Enhance the use of Strong Passwords for SSH User/Key ?

Usually, people often use simple passwords for their login like 123456, something123, so that they can remember passwords easily. This is why a brute force attack works perfectly as it goes dictionary wise to attempt the password check. So, to avoid that we must use a password containing special characters, uppercase and lowercase alphabet, numbers, and a minimum password length of 8 characters long.


1. Configure Idle Timeout Interval

Users often keep their SSH connection idle for a longer period so it will be high risk if someone tries to take over your SSH session and do as they like when users are not present at the moment. So we can set our login session timeout after a certain period of inactivity so that we need to re-login on session timeout. To set the idle timeout we need to set the "ClientAliveInterval" value in the sshd_config file. In the following example, we have set the timeout value 360 which is 6 minutes:

ClientAliveInterval 360


2. Use SSH Protocol 2

SSH has two variants of protocol SSH protocol 1 and SSH protocol 2, protocol 1 is the system default which is less secure than protocol 2 as protocol 2 applies bulk encryption, robust algorithms, and cryptographic checks. To switch to protocol 2 we need to add the following line in the sshd_config file:

Protocol 2


3. Configure a Limit for Password Attempts

We can limit the number of password attempts to ssh login so after a limited number of attempts the connection will drop which will add an extra layer of security that prevents the system from the bot attack. To achieve this we need to set the "MaxAuthTries" directive value. Here, we have set its limit for 4 attempts:

MaxAuthTries 3

This will Limit the ssh login attempt.


4. Disable Tunneling and Port Forwarding

If you won't be using tunneling and port forwarding service its is better to keep it disabled as a hacker might use these services to break through your system. To achieve it set the following directive value to no:

AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no

Finally, after everything is set up don't forget to restart your ssh server to apply the changes:

$ sudo systemctl restart ssh


[Need assistance in securing your Linux Server? We can help you. ]


Conclusion:

This article covers methods of hardening SSH servers that help to avoid different security risks. With the advancements in technology, many business processes we carry out today heavily relies on the internet, online tools and connected devices. That is why taking the necessary precautions to ensure the network security has utmost importance. If an organization fails to secure their network, they are open to cyber attacks which can result in data breaches, losing digital assets, losing business and even going out of business.


How to secure SSH ?

If you want to make sure that your SSH server is impenetrable and secure, you should follow the steps below:

  • Set a custom SSH port. By default, SSH is set to be listening on port 22. Unfortunately, almost all cyber attackers know that. That is why changing it to something random like Port 821 offers an additional layer of security by obscurity.
  • Employ TCP wrappers. TCP Wrappers offer a host-based ACL protection that will allow you to sort out and filter who is able to access the SSH server.
  • Disable root login. Another default setting of the SSH server is that it allows root login on Unix and Linux operating systems. Since this feature can easily be exploited by the cyber attackers, we advise you to disable it.
  • Disable empty passwords. Again, in Unix and Linux operating systems, SSH server allows the users to create empty passwords which practically mean keeping the door open for intruders. Make sure that no user opts for an empty password by disabling the option.
  • Block SSH brute force attacks. In order to do so, you can opt for manually going through the system logs, detect the intruders and block them by using the firewall. Another (and much easier) method is using tools like Fail2ban, SSHGuard and such.