Top 10 Tips to Secure SSH Your Server

By: Sunil Kumar |  In: Server  |  Last Updated: 2018/10/01

Top 10 Tips to Secure SSH Your Server

SSH – secure shell

The SSH protocol is a secure method to remote login one server to another server. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to other protocol like telnet and file transfer protocol FTP.

Locate SSH server configuration file-

All the changes we are going to discuss will be done in SSH configuration file. This file can be found at /etc/ssh/ssh_config

open this config file using-

sudo nano /etc/ssh/ssh_config

1. Use a different port than 22

22 is the default port used by SSH protocol. You should not use the default port as it is easy to guess and more vulnerable to brute-force attacks.

To change the default port change the following line(here we are using port 221 instead of port 22).

Port 221

2. Use Protocol SSH 2 only

The earlier protocol SSH 1 contains many security vulnerabilities. so you should be using SSH 2 instead of SSH 1. SSH 2 should be set to 2 by default. If not you can change using

Protocol 2

3. Disable Direct root login

Allowing direct root login is one of the most dangerous security hole you can have. No server should be allowed to direct root login through SSH.

To disable direct root login change PermitRootLogin to no from yes

PermitRootLogin no

If you really need to log in as root you can add a primary user to login first and you can log in as a root user

to add a user

useradd peter
passwd peter

this is an example. I highly recommend using a very strong password.

Once you login to user peter you can switch to root user by using

su -

4. Use public_keys instead of passwords

There are 2 ways to login to an SSH server- using a password or public/private keys. You should be using public keys to login to SSH server security. You can use this link to configure SSH login without a password.

After ensuring your key based login is working properly you can disable password based login using

PasswordAuthentication no

5. Enable two-factor authentication

You should enable two-factor authentication on your SSH server to make it more secure. So if someone tries to brute force your server, can be blocked by 2-factor authentication.

Google authenticator is one of the most trustworthy and widely used authenticators. You can enable Google authentication on your server using this link.

6. Disable Empty Passwords

You should not allow remote login with an empty password. if you allow login with empty password your server is more vulnerable to the brute-force attack.

To disable empty password login set

PermitEmptyPasswords no

7. Use strong passwords and passphrase for ssh users/keys

Most of the server got attacked because of the weak password. They use easy to guess password like the brand name or some universal password like 123456 or qwerty. Weak password is more likely to cracked by brute-force attacks.

You should be using a very strong password and passphrase to log in your SSH server.

8. Configure Idle Timeout Interval

To avoid having an unattended SSH session, you can set an Idle timeout interval.

ClientAliveInterval 360
ClientAliveCountMax 0

The idle timeout interval you are setting is in seconds (360 secs = 6 minutes). Once the interval has passed, the idle user will be automatically logged out.

Execute a PHP file on Remote Server Using SSH

9. Disable port forwarding

Hackers can use port forwarding technique to tunnel network connections through an SSH session to login into systems.

To disable port forwarding –

AllowTcpForwarding no
X11Forwarding no

10. Restrict SSH logins to specific IP addresses

By default, SSH will accept connections from any external IP address. If you want to restrict SSH to only allow a connection from a specific IP address, you can add a ListenAddress line.

For example, if you want to only accept SSH connections from IP address 192.168.1.2 you would add the line:

ListenAddress 192.168.7.2

Restart SSH server

After making any changes to sshd_config file do not forget to restart the SSH server.

sudo service ssh restart

Conclusion

By making these changes your server will be secure than most of the server and will not be easy for attackers to walk into your server.

Comments


Leave a Comment

Your email address will not be published.

*


Sunil Kumar


I am the owner of acmeextension. I am a passionate writter and reader. I like writting technical stuff and simplifying complex stuff.
Know More

Join more than 10,000 others Web Developers