OpenSSH Server Hardening

Categories

OpenSSH Server Hardening

You are here:

 

Introduction

SSH is the most common method for accessing a Linux server over a network, however this means it can be a target for malicious users to gain access to your Linux servers.

Here are a few options that can significantly make your ssh server more secure from the base configuration setup.

This article covers OpenSSH Server specifically as it is the most commonly used SSH service however a lot of these ideas can be applied to alternative SSH services such as dropbear ssh.

Suggestion 1 – Changing the SSH Port

Changing the ssh port it listens on can cause automated brute force attempts from bots to give up and move on to other targets

1) Edit the following file with your favourite text editor:

nano /etc/ssh/sshd_config

2) and change this line to a custom port number:

Port 2552

3) Restart sshd for changes to take place normally done with:

service sshd restart

Note: Make sure your firewall is open on the port you specify before doing this as not to lock yourself out.

Suggestion 2 – Disable root access

This can be used to stop the chance of unauthorised users gaining root access straight away, often root access can be disabled already on distro’s such as Ubuntu.

1) Edit

nano /etc/ssh/sshd_config

2) and change this line:

PermitRootLogin no

3) Restart sshd for changes to take place.

You can then set up sudo access or use the su command to change to root once you have logged in as a standard user.

Suggestion 3 – Key Authentication

You can take out password authentication completely to eliminate brute password login attempts. Clients who want to log in using key authentication will need to create an ssh keypair first on their machine.

Then you will need to add the ssh public key into the authorised_keys file for the user they want to log in to:

1) Make sure these options is set in /etc/ssh/sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no

2) Restart sshd.

Note – this will turn off password authentication and allow key authentication only. Test that the user can now log in using their ssh key instead of a password.

Suggestion 4 – Restrict SSH Access by IP

Again within the /etc/ssh/sshd_config file you can add the following to restrict access to the IPs shown.

Match address 1.2.3.4/32 192.168.1.0/24
PasswordAuthentication yes

Or by user

Match user simpleuser
PasswordAuthentication yes
Previous Monitoring Linux Software RAID
Next SSH Key Authentication
Table of Contents