Tips for securing your SSH server
Protected Session
An SSH server facing the Internet will almost certainly be under attack, but a few proactive steps will help to keep the intruders away.
Secure Shell, better known as SSH, is a secure communication protocol used to execute commands on remote servers. SSH works on a client/server architecture. Data transferred through SSH is automatically encrypted using symmetric, asymmetric, and hashing algorithms. At receiving end, the data is automatically decrypted.
About 90 percent of system administrators use SSH to access their servers and configure them remotely. Users overwhelmingly prefer SSH over Telnet, an alternative communication protocol that is now considered insecure. SSH makes the data in transit more secure, but if you wish to secure an SSH server, you need to take some additional steps. Following are some measures that will help you protect your SSH server from attack.
Public Keys Instead of Passwords
The article on "System Hardening" elsewhere in this issue mentioned the benefits of using key authentication rather than passwords with SSH. Your password can be cracked by intruders, and you could end up getting hacked by a simple brute-force password attack. Here is a quick reprise on how to set up key-based authentication.
The first step is to generate the SSH keys on a client machine. You can generate keys in the terminal by running the following command (as shown in Figure 1):
ubuntu@ubuntu:~$ ssh-keygen -y
This command will generate two keys, a public key called id_rsa.pub
and a private key called id_rsa
. By default, these keys will be saved in the /home/user/.ssh
directory.
After generating the SSH keys, you need to move the public key (id_rsa.pub
) to the server.
From the client machine, type the following commands to move the public key to the server:
$ scp -p [ssh_port] ~/.ssh/id_rsa.pub username@server_ip:~/.ssh
On the server, now change the public key file name and permission by running the following commands in the terminal:
:~$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Now change the permissions by running the following commands:
$ chmod 700 ~/.ssh $ chmod 600 ~/.ssh/authorized_keys
Now it is time to test whether the server works or not. Try to access the SSH server from the client machine:
$ ssh -p [ssh_port] username@server_ip -i /path/to/id_rsa
If your client machine connects with the server, you know that key access is working correctly. Otherwise, check through the preceding steps and see if there is something you missed.
Changing the Default SSH Port
By default the client communicates with the server using the well-known port assigned to SSH, port 22, but it is not a good practice to use this default port. The reason is simple: Everyone knows about the default SSH port, and if you use it, you give the attacker a head start for hacking into your server. If you use another port, you add an extra obstacle for the intruder, who first has to find the SSH port before launching an attack.
Open the SSH configuration file with admin privileges using following command in the nano editor:
$ sudo nano /etc/ssh/sshd_config
In this file, find the following line, remove the #
sign, and replace 22 with your desired port number (see Figure 2):
# Port 22
After changing the port, restart the SSH server:
$ sudo systemctl restart ssh
Setting the Password Tries Limit
Another way to keep your SSH server secure from brute force attack is to set a password tries limit. When you set a limit, an attacker will not be able to access the SSH server after a specific number of unsuccessful password tries.
Open the sshd_config
file in your text editor. For example, if you use the nano editor, enter:
$ sudo nano /etc/ssh/sshd_config
Find the following line,
# MaxAuthTries 1
Remove the #
sign and set the number to 3
, as shown in Figure 3.
After changing the sshd_config
file, restart the SSH server by running the following command:
$ sudo systemctl restart ssh
Now, no one will be able to get access to your SSH server after three unsuccessful password tries. Of course, this could also cause complications for an authorized user who is having a bad memory day or forgets to check the Caps Lock key. Another approach is to use the Fail2ban utility, which suspends access for a predefined time interval and then lets the user try again. See the discussion of Fail2ban in the "System Hardening" article elsewhere in this issue.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.