Introduction
Securing your SSH server is essential to protect your system from unauthorized access. In this tutorial, I will guide you through the steps to secure your SSH server by implementing the best practices and following recommended security measures.
Install OpenSSH Server
Make sure OpenSSH server is installed on your Linux system. If it’s not already installed, you can install it using the package manager specific to your Linux distribution.
For Ubuntu/Debian:
sudo apt update
sudo apt install openssh-serverFor CentOS/Fedora:
sudo dnf update
sudo dnf install openssh-serverUpdate SSH Configuration File
The main configuration file for OpenSSH server is located at
/etc/ssh/sshd_config. Before making any changes, create a backup of the
original file:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backupNow open the configuration file in a text editor:
sudo nano /etc/ssh/sshd_configHere are some recommended settings to modify or add in the sshd_config file:
-
Disable root login (if not necessary):
PermitRootLogin no -
Change default SSH port (optional but recommended):
# Uncomment and modify Port line with desired port number (e.g., 2222) Port 2222 -
Limit user authentication methods:
# Uncomment and modify as follows: # - Disable password-based authentication PasswordAuthentication no # - Enable public key authentication PubkeyAuthentication yes # - Enable only specific algorithms for increased security (optional) KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -
Disable empty passwords:
PermitEmptyPasswords no -
Limit SSH access to specific users (optional):
AllowUsers your_username1 your_username2
Make sure to save the changes after modifying the sshd_config file.
Restart SSH Service
After making changes to the SSH configuration, restart the OpenSSH service for the changes to take effect:
For Ubuntu/Debian:
sudo systemctl restart sshdFor CentOS/Fedora:
sudo systemctl restart sshd.serviceSet Up SSH Key-Based Authentication (Recommended)
Using key-based authentication provides stronger security than password-based authentication. Here’s how you can set it up:
On your local machine (the machine you use to access your server), generate an SSH key pair using the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"This will generate a public key (id_rsa.pub) and a private key (id_rsa).
Keep your private key secure and never share it with anyone.
On your server, create a .ssh directory in your home folder if it doesn’t exist:
mkdir ~/.ssh
chmod 700 ~/.ssh/Notice that the permissions
700on the folder.sshare very important
Copy the contents of your public key (id_rsa.pub) on your local machine and
append it to ~/.ssh/authorized_keys file on the server using a text editor or
by running this command:
echo "contents_of_public_key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysNotice that the permissions
600on the fileauthorized_keysare very important
Make sure to replace contents_of_public_key with the actual contents of your
public key.
Now, disable password-based authentication in the SSH configuration file as
mentioned in Step 2 (PasswordAuthentication no). This will ensure that only
key-based authentication is allowed.
Restart the SSH service for the changes to take effect.
Enable Two-Factor Authentication (Optional but Recommended)
Enabling two-factor authentication adds an extra layer of security to your SSH server. It requires users to provide a second form of authentication, typically a time-based one-time password (TOTP) generated by an authenticator app like Google Authenticator or Authy. Here’s how you can set it up:
Install libpam-google-authenticator on your server using the package manager
specific to your Linux distribution:
For Ubuntu/Debian:
sudo apt update
sudo apt install libpam-google-authenticatorFor CentOS/Fedora:
sudo dnf update
sudo dnf install google-authenticator-libpamRun google-authenticator command and follow the prompts to set up two-factor
authentication for your user account. Make sure to answer “yes” when asked if
you want tokens to be time-based and “no” when asked if you want emergency
scratch codes.
Update /etc/pam.d/sshd file with these lines at the top:
auth required pam_google_authenticator.so nullok
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022Save and exit after making changes.
Open /etc/ssh/sshd_config file again and find this line:
ChallengeResponseAuthentication noChange it to:
ChallengeResponseAuthentication yesRestart SSH service for changes to take effect.
Configure Firewall Settings (Optional)
To further enhance security, you can configure your firewall to allow only specific IP addresses or IP ranges to access your SSH server. This will restrict SSH access to trusted sources.
For Ubuntu/Debian, use UFW (Uncomplicated Firewall) to manage firewall settings:
sudo ufw allow from trusted_ip_address to any port 22
sudo ufw enableReplace trusted_ip_address with the actual IP address or range you want to
allow SSH access from.
For CentOS/Fedora, use firewalld:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="trusted_ip_address" service name="ssh" accept'
sudo firewall-cmd --reloadAgain, replace trusted_ip_address with the actual IP address or range.
Regularly Update and Monitor Your System
Keeping your system up-to-date is crucial for security. Regularly update all installed packages and apply security patches as soon as they are available.
Additionally, monitor log files (/var/log/auth.log for Ubuntu/Debian or
/var/log/secure for CentOS/Fedora) for any suspicious activities or failed
login attempts. This can help identify potential security threats and take
appropriate actions.
Conclusion
By following these steps and implementing best practices mentioned in this tutorial, you can significantly enhance the security of your SSH server. Always stay vigilant about maintaining a secure environment and keep yourself updated on new vulnerabilities and recommended practices in securing SSH servers.