Tips for securing your SSH server
Whitelisting IP Addresses
A whitelist is a list of IP addresses that are explicitly granted access to the server. A blacklist is a list of address that are explicitly denied access. The TCP Wrappers feature built into many Linux distributions lets you define whitelists and blacklists for services like SSH.
To whitelist specific IP addresses for the sshd
service, open the hosts.allow
file by running the following command in the server terminal:
$ sudo nano /etc/hosts.allow
Then put the IP addresses you want to whitelist in this file, either individually:
sshd: 192.168.2.2
or as a group using CIDR notation:
sshd: 192.168.2.0/24
You can then blacklist all the remaining IP addresses by modifying the hosts.deny
file. Open the hosts.deny
file:
$ sudo nano /etc/hosts.deny
And add following line:
sshd: ALL
If you would prefer to just blacklist specific addresses, enter the specific address or address range in hosts.deny
:
sshd: 192.168.2.2 sshd: 192.168.5.0/24
After changing the hosts.allow
and hosts.deny
files, restart your SSH server by running following command:
$ sudo systemctl restart ssh
Now your SSH server is open to only specific IP addresses.
Blocking Addresses with a Firewall
An SSH server accessible by the public is bound to come under attack. The hosts.deny
file is one way to block access to a specific IP address, but a firewall is another important line of defense.
For this example, I'll use the Uncomplicated Firewall (UFW) tool used to configure firewalls in Ubuntu. UFW comes preinstalled on many Linux distributions, but if your Linux uses a different tool, the concepts are similar. Check the status of UFW by running the following command (Figure 4):
$ sudo ufw status
If UFW is inactive on your server, activate it as follows:
$ sudo ufw enable
Now say you want to block the IP address 192.168.2.2 and a range of IP addresses (192.168.5.0/24) on the SSH server, which is running on port 22 (of course, if you follow the advice given in this article, you'll be using a different port instead of port 22). Use the following command to block a single IP address:
$ sudo ufw deny from 192.168.2.2 port 22
This command will add a rule to block this IP address on port 22. Now check the status of UFW by again running the status
command:
$ sudo ufw status
If UFW is active, the command will display all the rules, as shown in Figure 5.
Now run the following commands to block a range of IP addresses, and then check the UFW status on the SSH server:
$ sudo ufw deny from 192.168.5.0/24 port 22 $ sudo ufw status
These commands block the IP addresses and display all the rules, as shown in Figure 6.
Now your server is secure against attacks from these IP addresses. You can restore access to these addresses by deleting the rules. To delete the second rule from UFW rules (Figure 7):
$ sudo ufw delete 2 $ sudo ufw status
Adding Two-Factor Authentication
One of the best ways to secure your SSH server against hijack is adding two-factor authentication (2FA). In this example, I will use Google Authenticator to add multifactor authentication to the SSH server. Following are the steps to activate 2FA on the SSH server.
First of all, install Google Authenticator on your Android device. You can install Google Authenticator with the following link:
https://play.google.com/store/apps/details id=com.google.android.apps.authenticator2&hl=en
Now log into the SSH server and run the following command in the terminal to install Google Authenticator on the server:
$ sudo apt-get install libpam-google-authenticator
After installing, open Google Authenticator by typing following command:
$ google-authenticator
You will be asked if you want Google Authenticator to generate time-based authentication tokens. If you reply with yes, tokens will expire after a specific time and new tokens will be generated. It is more secure to use time-based authentication tokens.
Answering this question will generate some credentials, including a QR code, a verification code, a secret key, and emergency scratch codes. Now open Google Authenticator on your Android device and scan the QR code generated on the terminal.
If your mobile device does not support QR code scanning, you can use a verification code to get started. Now you will be asked if you want to change the Google Authenticator configuration file. If you want to customize Google Authenticator, select yes (Figure 8).
Once you have Google Authenticator configured and working, the next step is to configure SSH to use Google Authenticator for two-factor authentication. Open the SSH configuration file by typing the following command:
$ sudo nano /etc/ssh/sshd_config
Find the following lines and set them to yes
:
UsePAM yes ChallengeResponseAuthentication yes
After changing the configuration file (Figure 9), restart the SSH server by running following command:
$ sudo systemctl restart ssh
Now whenever you try to login to your SSH server, it will ask for secondary credentials, which will then be generated on your smartphone. You can get access to the server after providing these credentials.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 48 Debuts New Audio Player
To date, the audio player found within the Gnome desktop has been meh at best, but with the upcoming release that all changes.
-
Plasma 6.3 Ready for Public Beta Testing
Plasma 6.3 will ship with KDE Gear 24.12.1 and KDE Frameworks 6.10, along with some new and exciting features.
-
Budgie 10.10 Scheduled for Q1 2025 with a Surprising Desktop Update
If Budgie is your desktop environment of choice, 2025 is going to be a great year for you.
-
Firefox 134 Offers Improvements for Linux Version
Fans of Linux and Firefox rejoice, as there's a new version available that includes some handy updates.
-
Serpent OS Arrives with a New Alpha Release
After months of silence, Ikey Doherty has released a new alpha for his Serpent OS.
-
HashiCorp Cofounder Unveils Ghostty, a Linux Terminal App
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.