13 Ways to Secure SSH Server Connections on Linux
SSH is widely used for accessing Linux servers securely. Most users use SSH connections with default settings to connect to a remote server. However, the unsecured default configurations also pose various security risks.
The root account of a server with open SSH access may be at risk. And especially if you are using a public IP address, it is much easier to hack the root password. Therefore, it’s necessary to know about SSH security.
Here’s how you may secure your SSH server connections on Linux.
1. Disable Root User Logins
For this, first, disable the root user’s SSH access andcreate a new user with root privileges. Turning off server access for the root user is a defense strategy that prevents attackers from achieving their goal of intruding into the system. For example, you can create a user namedexamplerootas follows:
Here’s a brief explanation of the aforementioned commands:
After the user creation process, it is necessary to make some changes to thesshd_configfile. You can find this file at/etc/ssh/sshd_config. Open the file with any text editor and make the following changes:
ThePermitRootLoginline will prevent the root user from gaining remote access using SSH. Includingexamplerootin theAllowUserslist grants necessary permissions to the user.
Finally, restart the SSH service using the following command:
If that fails and you receive an error message, try the command below. This may differ based on the Linux distro you use.
2. Changing the Default SSH Port
The default SSH connection port is 22. Of course, all attackers know this and therefore, it is necessary to change the default port number to ensure SSH security. Although an attacker can easily find the newport number with a Nmap scan, the goal here is to make the attacker’s job more difficult.
To change the port number, open/etc/ssh/sshd_configand make the following changes to the file:
After this step, restart the SSH service again withsudo systemctl restart ssh. Now you can access your server using the port you just defined.
If you are using a firewall, you must make the necessary rule changes there as well. On running thenetstat -tlpncommand, you can see that your port number for SSH has changed.
3. Block Access for Users With Blank Passwords
There may be users without passwords on your system that you might’ve created accidentally. To prevent such users from accessing the servers, you can set thePermitEmptyPasswordsline value in thesshd_configfile tono.
4. Limit Login/Access Attempts
By default, you’re able to access the server by making as many password attempts as you want. However, attackers can use this vulnerability to brute-force the server.
You can automatically terminatethe SSH connectionafter a certain number of attempts by specifying the number of permitted password attempts.
For this, change theMaxAuthTriesvalue in thesshd_configfile.
5. Using SSH Version 2
The second version of SSH was released because of the many vulnerabilities in the first version. By default, you can enable the server to use the second version by adding theProtocolparameter to yoursshd_configfile.
This way, all your future connections will use the second version of SSH.
6. Turning Off TCP Port Forwarding and X11 Forwarding
Attackers can try to gain access to your other systems by port forwarding through SSH connections. To prevent this, you can turn off theAllowTcpForwardingandX11Forwardingfeatures in thesshd_configfile.
7. Connecting With an SSH Key
One of the most secure ways toconnect to your server is to use an SSH Key. When you use an SSH Key, it’s possible to access the server without a password. In addition, you can completely turn off password access to the server by changing the password-related parameters in thesshd_configfile.
When you create an SSH Key, there are two keys:PublicandPrivate. The public key is uploaded to the server you want to connect to and the private key is stored on the computer using which you will establish the connection.
Create an SSH key with thessh-keygencommand on your computer. Do not leave thePassphrasefield blank and remember the password you entered here.
If you leave it blank, you will only be able to access it with the SSH key file. However, if you set a password, you can prevent an attacker with the key file from accessing it.
As an example, you can create an SSH key with the following command:
8. IP Restrictions for SSH Connections
Most of the time, the firewall blocks access using frameworks of its standards and aims to protect the server. However, this is not always enough and you need to increase this security potential.
To do this, open the/etc/hosts.allowfile. With the additions you make to this file, you can restrict the SSH permission, allow a specific IP block, or enter a single IP and block all remaining IP addresses with the deny command.
Below you will see some sample settings. After doing these, restart the SSH service as usual to save the changes.
9. Selectively Allow Acess to Users and Groups
You can configure the sshd config file to selectively allow or disallow users and groups from SSH-ing into your server. By default, all users and groups are allowed access. This is a security risk when you’re managing a production server that shouldn’t be accessed by anyone else except those with proper clearance.
Here are the lines you need to add to allow/disallow SSH access to users and groups:
10. Set Idle Timeout Interval
If a trusted user leaves their desktop unattended with them logged into your server, an adversary with access to their computer can take advantage of it and perform malicious actions on your server.
The simplest way to counter this is to set an idle timeout interval period. After a defined period of inactivity, the server will terminate the SSH connection to the user to prevent unsolicited access in the absence or inactivity of the trusted user.
Here are the lines you need to add to your sshd config to turn this setting on:
As per the command issued in the config file, after 120 seconds of inactivity, the connection will be terminated. You can change the number to match your liking.
11. Add a Warning Banner
While this is not an active security measure, adding a warning banner can be a useful psychological tactic to ward off unwelcome guests and send the adversary on the back foot when they strive to connect to your server with malicious intent.
To add a custom warning banner, first, carefully prepare the text for the banner or grab one of the generic ones from the internet and save it to a text file. Then, add this line to your config file:
12. Enforce Strong MAC Algorithms
MAC, in the context of SSH, stands for Message Authentication Code. MAC is a cryptographic algorithm used to verify and validate data transmissions between client and server.
It’s important that you set strong MAC algorithms to ensurethe integrity and confidentiality of your data, which are two key pillars of cybersecurity. Here’s the line you need to add to your config:
13. Set LogLevel to Monitor SSH Activity
You can monitor SSH activity in varying levels of verbosity. By default, this feature may be turned off. It’s recommended you turn on this feature and set it to the basic logging level—INFOwhich will only record errors, messages, key authentication, login, and logout activity of users.
You can certainly change it to a more verbose level likeVERBOSEorDEBUGif you prefer so. Here’s the line you need to add to your sshd config file:
Now, your SSH server will generate the basic logging data which you can read by navigating to and reading the/var/log/auth.log*file on Debian/Ubuntu-based machines and/var/log/securefile on RHEL/CentOS/Fedora.
You can either view the entire logfile and navigate to parts with sshd or, usethe grep commandto filter out the contents and only read through the sshd logs.
The Importance of Linux Server Security
Data and data security issues are quite detailed and should be considered by all server administrators. Server security is a very sensitive issue as the main focus of attacks is web servers, and they contain almost all information about a system.
Since most servers run on the Linux infrastructure, it is very important to be familiar with the Linux system and server administration.
SSH security is just one of the ways to protect servers. It is possible to minimize the damage you take by stopping, blocking, or slowing an attack. Apart from providing SSH security, there are many different methods you can implement to secure your Linux servers.
If you’re running a Linux server for whatever purpose, use these hardening steps to keep it secure from hackers.
You don’t need to fork out for expensive hardware to run an AI on your PC.
Now, I actually finish the books I start.
Anyone with more than a passing interest in motorsports must see these films.
Lose your laptop without this feature, and you’ll wish you had turned it on.
You’ve been quoting these famous films wrong all along!
