OpenSSH Server Hardening
SSH is the most common method for accessing a Linux server over a network, however this means it can be a target for malicious users to gain access to your Linux servers.
Here are a few options that can significantly make your ssh server more secure from the base configuration setup.
This article covers OpenSSH Server specifically as it is the most commonly used SSH service however a lot of these ideas can be applied to alternative SSH services such as dropbear ssh.
Suggestion 1 – Changing the SSH Port
Changing the ssh port it listens on can cause automated brute force attempts from bots to give up and move on to other targets
1) Edit the following file with your favourite text editor:
2) and change this line to a custom port number:
3) Restart sshd for changes to take place normally done with:
service sshd restart
Note: Make sure your firewall is open on the port you specify before doing this as not to lock yourself out.
Suggestion 2 – Disable root access
This can be used to stop the chance of unauthorised users gaining root access straight away, often root access can be disabled already on distro’s such as Ubuntu.
2) and change this line:
3) Restart sshd for changes to take place.
You can then set up sudo access or use the su command to change to root once you have logged in as a standard user.
Suggestion 3 – Key Authentication
You can take out password authentication completely to eliminate brute password login attempts. Clients who want to log in using key authentication will need to create an ssh keypair first on their machine.
Then you will need to add the ssh public key into the authorised_keys file for the user they want to log in to:
1) Make sure these options is set in /etc/ssh/sshd_config:
PubkeyAuthentication yes PasswordAuthentication no
2) Restart sshd.
Note – this will turn off password authentication and allow key authentication only. Test that the user can now log in using their ssh key instead of a password.
Suggestion 4 – Restrict SSH Access by IP
Again within the /etc/ssh/sshd_config file you can add the following to restrict access to the IPs shown.
Match address 220.127.116.11/32 192.168.1.0/24 PasswordAuthentication yes
Or by user
Match user simpleuser PasswordAuthentication yes