Tips for securing your SSH server
Whitelisting IP Addresses
A whitelist is a list of IP addresses that are explicitly granted access to the server. A blacklist is a list of address that are explicitly denied access. The TCP Wrappers feature built into many Linux distributions lets you define whitelists and blacklists for services like SSH.
To whitelist specific IP addresses for the sshd
service, open the hosts.allow
file by running the following command in the server terminal:
$ sudo nano /etc/hosts.allow
Then put the IP addresses you want to whitelist in this file, either individually:
sshd: 192.168.2.2
or as a group using CIDR notation:
sshd: 192.168.2.0/24
You can then blacklist all the remaining IP addresses by modifying the hosts.deny
file. Open the hosts.deny
file:
$ sudo nano /etc/hosts.deny
And add following line:
sshd: ALL
If you would prefer to just blacklist specific addresses, enter the specific address or address range in hosts.deny
:
sshd: 192.168.2.2 sshd: 192.168.5.0/24
After changing the hosts.allow
and hosts.deny
files, restart your SSH server by running following command:
$ sudo systemctl restart ssh
Now your SSH server is open to only specific IP addresses.
Blocking Addresses with a Firewall
An SSH server accessible by the public is bound to come under attack. The hosts.deny
file is one way to block access to a specific IP address, but a firewall is another important line of defense.
For this example, I'll use the Uncomplicated Firewall (UFW) tool used to configure firewalls in Ubuntu. UFW comes preinstalled on many Linux distributions, but if your Linux uses a different tool, the concepts are similar. Check the status of UFW by running the following command (Figure 4):
$ sudo ufw status
If UFW is inactive on your server, activate it as follows:
$ sudo ufw enable
Now say you want to block the IP address 192.168.2.2 and a range of IP addresses (192.168.5.0/24) on the SSH server, which is running on port 22 (of course, if you follow the advice given in this article, you'll be using a different port instead of port 22). Use the following command to block a single IP address:
$ sudo ufw deny from 192.168.2.2 port 22
This command will add a rule to block this IP address on port 22. Now check the status of UFW by again running the status
command:
$ sudo ufw status
If UFW is active, the command will display all the rules, as shown in Figure 5.
Now run the following commands to block a range of IP addresses, and then check the UFW status on the SSH server:
$ sudo ufw deny from 192.168.5.0/24 port 22 $ sudo ufw status
These commands block the IP addresses and display all the rules, as shown in Figure 6.
Now your server is secure against attacks from these IP addresses. You can restore access to these addresses by deleting the rules. To delete the second rule from UFW rules (Figure 7):
$ sudo ufw delete 2 $ sudo ufw status
Adding Two-Factor Authentication
One of the best ways to secure your SSH server against hijack is adding two-factor authentication (2FA). In this example, I will use Google Authenticator to add multifactor authentication to the SSH server. Following are the steps to activate 2FA on the SSH server.
First of all, install Google Authenticator on your Android device. You can install Google Authenticator with the following link:
https://play.google.com/store/apps/details id=com.google.android.apps.authenticator2&hl=en
Now log into the SSH server and run the following command in the terminal to install Google Authenticator on the server:
$ sudo apt-get install libpam-google-authenticator
After installing, open Google Authenticator by typing following command:
$ google-authenticator
You will be asked if you want Google Authenticator to generate time-based authentication tokens. If you reply with yes, tokens will expire after a specific time and new tokens will be generated. It is more secure to use time-based authentication tokens.
Answering this question will generate some credentials, including a QR code, a verification code, a secret key, and emergency scratch codes. Now open Google Authenticator on your Android device and scan the QR code generated on the terminal.
If your mobile device does not support QR code scanning, you can use a verification code to get started. Now you will be asked if you want to change the Google Authenticator configuration file. If you want to customize Google Authenticator, select yes (Figure 8).
Once you have Google Authenticator configured and working, the next step is to configure SSH to use Google Authenticator for two-factor authentication. Open the SSH configuration file by typing the following command:
$ sudo nano /etc/ssh/sshd_config
Find the following lines and set them to yes
:
UsePAM yes ChallengeResponseAuthentication yes
After changing the configuration file (Figure 9), restart the SSH server by running following command:
$ sudo systemctl restart ssh
Now whenever you try to login to your SSH server, it will ask for secondary credentials, which will then be generated on your smartphone. You can get access to the server after providing these credentials.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.