SSH means Secure Shell, and it’s a protocol designed to allow secure communications between different hosts using an encrypted connection. SSH servers allow users to log into remote hosts, run commands and operate network services, securely. In order to establish an SSH connection, you need two parts: the SSH client and the SSH server.
A very big part of SSH security relies on how the SSH Server is configured. Today, you will learn about the Top 10 security tips to harden your SSH server.
10 Steps to Secure Your SSH Server
First, you have to locate your open SSH main server configuration file, as most of the security tips focus on modifications of this file. On most Linux distributions, it can be found at:
1. Use a different port than 22.
Edit your sshd_config file, and set one different than 22:
This will prevent brute force attacks against the default SSH port.
2. Use Protocol SSH 2 only.
Almost all Linux distributions already come with Protocol 2 as default, but always make sure this is set as:
SSH Protocol 1 is very insecure, allows man-in-the-middle attacks and has a lot of known vulnerabilities.
3. Disable root login.
Direct root logins are insecure by default, even more if the root password is weak. The best way to protect direct root logins is to require a primary user to log in via SSH, and then log in as root if it’s really necessary.
Add the primary user for the SSH connection and set a new password:
useradd john passwd john
Edit the sshd_config file and set:
PermitRootLogin no AllowUsers john #if this line doesn't exist, just add it
This will disable root login and allow user “john” to log in via SSH, where once he is logged in he can perform a simple ‘su -‘ to become root user.
4. Avoid listening on all interfaces.
By default, the SSH server listens on all network interfaces. Secure this and allow SSH to listen only on one predefined interface:
Replace “XX.XX.XX.XX” with your real server IP.
5. Address Misc Security options
Apply changes to your sshd_config file. StrictModes forces the SSH server to check a user’s permissions in their home dir and rhosts files before accepting login.
LoginGraceTime defines how long the SSH server will wait until disconnecting if the user hasn’t successfully logged in.
If you don’t need port forwarding, set this to ‘no’:
You don’t need any X11 stuff if you are terminal only nerds:
Print last log of the established connections:
Disable logging into accounts with null passwords:
Set up your Welcome banner by editing /etc/motd file, add the text that you need, and it will be displayed on your next shell logins (local and remote). Example:
[user@localhost ~]$ ssh firstname.lastname@example.org Last login: Sat Oct 31 09:11:53 2015 from XX.XX.XX.XX ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. [user@remotehost ~]$
6. Use public_keys instead of passwords.
Check out this tutorial on how to log into an SSH Server using public keys: SSH Login without passwords using public keys. After you ensure that public key access is working, edit your sshd_config file and disable password authentication:
7. Limit connections using TCPWrappers.
TCPWrappers are one of the best ways to secure your SSH Server by setting who can connect to which servers. ONLY use this if you have a static IP address with your local internet provider. If you use dynamic IPs and use Tcpwrappers, it will probably lock you out of your server.
Edit /etc/hosts.allow file and add this line to allow connections from your local network IP (replace “XX.XX.XX.XX” with your real public IP):
sshd : XX.XX.XX.XX
Then, at the /etc/hosts.deny file, deny all of the rest of the incoming SSH connections:
sshd : ALL
8. Limit SSH connections using a Firewall.
If you are using an iptables firewall like CSF, you can set a limit to the incoming SSH connections and how many times it will fail before it gets blocked:
Edit /etc/csf/csf.conf and set:
LF_SSHD = "5"
Restart the firewall to apply changes:
9. Activate Port Knocking.
Port knocking is a security technique that relies on knocking pre-defined ports on the SSH Server in order to allow the establishment of the SSH connection from a remote host. Follow this tutorial to activate Port Knocking on your iptables rules: How to enable Port Knocking on CentOS
10. Integrate Google Authenticator.
2 factor authentication is here to stay. It’s widely used in web based logins, and you can also integrate 2 step authentication into your SSH logins. Check out these cool tutorials:
SSH is still one of the most used network services on Linux and BSD servers. It can be a powerful tool to connect and control servers, but it also can become your worse nightmare if you don’t secure it properly. After following these 10 steps, you should have a much more secure SSH server. Do you have any other SSH Security tip? Share in the comments.
Popular search terms:
- best way to secure ssh
- how to secure nginx ports
- how to secure nginx debian server
- how to protect from ssh