How To Lock Down SSH On Linux
SSH, short for Secure SHell, is a network protocol primarily used to securely access a server remotely. In a way, it’s like a backdoor to your server, so just like you wouldn’t leave your backdoor unlocked in your house, you should take precautions and implement security measures to harden your SSH. If you’re not familiar with it, you can learn about SSH here and how it compares to other security protocols and then come back to this tutorial.
This tutorial assumes that both the remote machine and your computer are operated by a modern Linux-based system. They come preinstalled with OpenSSH in the package. You also will need prior knowledge on how to log into SSH through the terminal.
I’ll be using nano as my text editor throughout the tutorial, you can use whichever one you prefer.
Change The SSH Port
By default, SSH uses port 22, by changing the port you obscure it from attackers that already know this. You can change the port to any that is not already taken or widely used, but make sure to not forget which port you’ve changed it to.
First we’ll need to open sshd_config file.
Once the file opens, find the #port 22 line, delete the # in front of it (as it is now it’s marked down as a comment, therefore it’s disabled) and change it to any port you’d like.
Afterwards, you’ll need to restart SSHD for the changes to come in effect.
service sshd restart
Now when logging into the SSH you’ll have to specify your new port number.
Also, if you have firewall setup, don’t forget to change the port there as well.
Generate And Enable SSH Key Authentication
As an authentication option, it’s recommended to use SSH key instead of passwords whenever possible. SSH key pair consists of a private key and a public key. The private key is stored on your computer, you should never reveal it to anyone and protect it with a passphrase (not a password). The public key is stored on your remote machine; this key can be safely shared with anyone.
To generate a key, type the following into the terminal:
ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/home/demo/.ssh/id_rsa):
After you’ll be prompted to choose a location in which you want to store your key. If left empty, it will store it in the .ssh hidden directory. Hit Enter.
Next you’ll see this prompt.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Once again, if left empty your SSH key won’t be secured with a passphrase. However, it is recommended that you do establish a passphrase, since without it anyone will be able to get access to your private key and log in to your server using SSH. Keep in mind that you will need to enter this passphrase every time you login to SSH.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
Now you’re done. The private key is stored in ~/.ssh/id_rsa or whatever directory you chose. The public key is stored in ~/.ssh/id_rsa.pub or the chosen directory accordingly. Remember never to share your private key with anyone!
Moving on to deploying your public key on the remote server. Type in the following command:
ssh-copy-id -i root-user/.ssh/id_rsa.pub email@example.com
root-user – your root directory
firstname.lastname@example.org – your remote server name
Limit Users Or Groups Who Can Use SSH
If you have only certain users or groups whom you need to grant the access to your server through SSH, you could use the AllowUsers and AllowGroups directives.
Open your sshd_config.
And after add the following lines to it:
AllowUsers user1 user2 user3
Substitute the text in red for your own groups and users whom you want to grant access. Aside from the specified users and groups, no one else will be able to connect to SSH.
Turn Off Password Authentication On Your Server
Now that you’ve enabled the SSH key authentication, you can disable the password authentication, since it leaves you open to brute-force attacks. Before doing so, make sure that your SSH key authentication has been configured successfully by restarting your session. Disabling password authentication will lock down any password-based logins.
Open the sshd_config file.
Find the PasswordAuthentication string, uncomment it by deleting the # symbol if it’s commented, and set the value to no.
Save your changes and restart the service.
service ssh restart
Now you’ve successfully disabled password authentication for your SSH.
Disable the use of SSH1 protocol
SSH1 (protocol 1) exposes you to many vulnerabilities and by default is not as secure as SSH2 (protocol 2). To check if protocol 1 is allowed open the sshd_config file.
Find the Protocol directive, and if the value is set to 1, 2 simply delete the 1.
Disable root login
Attackers might attempt to use root to login using SSH into your server, to disable root login go to your sshd_config file and change PermitRootLogin from without-password to a no value.
Join our Facebook Page: Click Here
Join our Facebook Group: Click Here