Securing an SSH connection on your Linux server is crucial to safeguarding your system from unauthorized access and potential threats. SSH, or Secure Shell, is widely used for remote administration, but it can be a target for malicious attacks if not properly secured. This guide outlines the best practices for enhancing SSH security on your Linux server.
TL;DR
- Change the Default SSH Port: Switch from port 22 to a non-standard port to reduce automated attacks.
- Use Strong Passwords: Enforce password policies to protect against brute-force attacks.
- Disable Root Login: Prevent direct root access to increase security.
- Use SSH Key-Based Authentication: Switch to key-based authentication for better security.
- Disable Password Authentication: After setting up key-based authentication, turn off password logins.
- Limit User Logins: Restrict SSH access to specific users or groups.
- Use a Firewall: Only allow SSH connections from specific IP addresses.
- Install and Configure Fail2Ban: Protect against brute-force attacks by banning suspicious IPs.
- Enable Two-Factor Authentication (2FA): Add an extra layer of security with 2FA.
- Monitor SSH Logs: Regularly check logs to detect and respond to suspicious activities.
1. Change the Default SSH Port
One of the simplest yet effective ways to reduce the risk of automated attacks is by changing the default SSH port from 22 to a non-standard port.
Steps to Change the SSH Port:
- Open the SSH configuration file:
- Find the line:
- Uncomment the line and change the port number, for example, to
2222: - Restart the SSH service to apply the changes:
sudo nano /etc/ssh/sshd_config#Port 22Port 2222sudo systemctl restart sshd2. Use Strong Password Authentication
To protect against brute-force attacks, ensure that all users have strong, complex passwords.
Steps to Enforce Strong Password Policies:
- Open the password quality configuration file:
- Set password policies by adding or updating the following lines:
sudo nano /etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
These settings enforce a minimum password length of 12 characters and require at least one digit, one uppercase letter, one lowercase letter, and one special character.
3. Disable Root Login
Disabling root login prevents attackers from directly accessing the root account, adding an extra layer of security.
Steps to Disable Root Login:
- Edit the SSH configuration file:
- Find the line:
- Change it to:
- Restart the SSH service:
sudo nano /etc/ssh/sshd_configPermitRootLogin yesPermitRootLogin nosudo systemctl restart sshd4. Use SSH Key-Based Authentication
Key-based authentication is more secure than password-based authentication, as it requires an SSH key pair instead of a password.
Steps to Set Up SSH Key-Based Authentication:
- Generate a key pair on your client machine:
- Copy the public key to your server:
- Ensure the correct permissions on the server:
ssh-keygen -t rsa -b 4096ssh-copy-id user@server_ip
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
5. Disable Password Authentication
Once key-based authentication is set up, disable password authentication to further secure your SSH connection.
Steps to Disable Password Authentication:
- Edit the SSH configuration file:
- Find the line:
- Uncomment it and change
yestono: - Restart the SSH service:
sudo nano /etc/ssh/sshd_config#PasswordAuthentication yesPasswordAuthentication nosudo systemctl restart sshd6. Limit User Logins
Restrict SSH access to specific users or groups to minimize the risk of unauthorized access.
Steps to Limit SSH User Logins:
- Edit the SSH configuration file:
- To allow specific users:
- Or, to allow specific groups:
- Restart the SSH service:
sudo nano /etc/ssh/sshd_configAllowUsers user1 user2AllowGroups sshuserssudo systemctl restart sshd7. Use a Firewall
A firewall can be configured to allow only specific IP addresses to connect to your SSH port, further securing your connection.
Steps to Configure a Firewall for SSH:
- For ufw (Uncomplicated Firewall):
- For iptables:
sudo ufw allow 2222/tcpsudo ufw enablesudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT8. Install and Configure Fail2Ban
Fail2Ban is a tool that helps protect against brute-force attacks by banning IP addresses that exhibit suspicious behavior.
Steps to Install and Configure Fail2Ban:
- Install Fail2Ban:
- Copy the default configuration file:
- Edit the Fail2Ban configuration:
- Ensure the
[sshd]section is enabled: - Restart Fail2Ban:
sudo apt-get install fail2bansudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localsudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
sudo systemctl restart fail2ban9. Enable Two-Factor Authentication (2FA)
Adding 2FA provides an additional layer of security, requiring a one-time code in addition to the SSH key.
Steps to Enable 2FA for SSH:
- Install Google Authenticator:
- Run the Google Authenticator setup:
- Configure PAM (Pluggable Authentication Module) to require 2FA:
- Add this line:
- Enable challenge-response authentication:
- Change the line:
- Restart the SSH service:
sudo apt-get install libpam-google-authenticatorgoogle-authenticatorsudo nano /etc/pam.d/sshdauth required pam_google_authenticator.sosudo nano /etc/ssh/sshd_configChallengeResponseAuthentication yessudo systemctl restart sshd10. Monitor SSH Logs
Regularly monitoring your SSH logs helps you detect and respond to any suspicious activities.
Steps to Monitor SSH Logs:
- View SSH logs in real-time:
sudo tail -f /var/log/auth.logConclusion
Securing SSH on your Linux server is critical to protecting your system from unauthorized access. By implementing these best practices, including changing the default SSH port, using strong passwords, and enabling key-based authentication, you can significantly enhance your server’s security.