10 Steps to Secure Your SSH Server
First, you have to locate your open SSH main server configuration file, as most of the security tips focus on modifications of this file. On most Linux distributions, it can be found at:
/etc/ssh/sshd_config
1. Use a different port than 22.
Edit your sshd_config file, and set one different than 22:
Port 227
This will prevent brute force attacks against the default SSH port.
2. Use Protocol SSH 2 only.
Almost all Linux distributions already come with Protocol 2 as default, but always make sure this is set as:
Protocol 2
SSH Protocol 1 is very insecure, allows man-in-the-middle attacks and has a lot of known vulnerabilities.
3. Disable root login.
Direct root logins are insecure by default, even more if the root password is weak. The best way to protect direct root logins is to require a primary user to log in via SSH, and then log in as root if it’s really necessary.
Add the primary user for the SSH connection and set a new password:
useradd john passwd john
Edit the sshd_config file and set:
PermitRootLogin no AllowUsers john #if this line doesn't exist, just add it
This will disable root login and allow user “john” to log in via SSH, where once he is logged in he can perform a simple ‘su -‘ to become root user.
4. Avoid listening on all interfaces.
By default, the SSH server listens on all network interfaces. Secure this and allow SSH to listen only on one predefined interface:
ListenAddress XX.XX.XX.XX
Replace “XX.XX.XX.XX” with your real server IP.
5. Address Misc Security options
Apply changes to your sshd_config file. StrictModes forces the SSH server to check a user’s permissions in their home dir and rhosts files before accepting login.
StrictModes yes
LoginGraceTime defines how long the SSH server will wait until disconnecting if the user hasn’t successfully logged in.
LoginGraceTime 120
If you don’t need port forwarding, set this to ‘no’:
AllowTcpForwarding no
You don’t need any X11 stuff if you are terminal only nerds:
X11Forwarding no
Print last log of the established connections:
Printlastlog yes
Disable logging into accounts with null passwords:
PermitEmptyPasswords no
Set up your Welcome banner by editing /etc/motd file, add the text that you need, and it will be displayed on your next shell logins (local and remote). Example:
[user@localhost ~]$ ssh user@remotehost.com Last login: Sat Oct 31 09:11:53 2015 from XX.XX.XX.XX ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. [user@remotehost ~]$
6. Use public_keys instead of passwords.
Check out this tutorial on how to log into an SSH Server using public keys: SSH Login without passwords using public keys. After you ensure that public key access is working, edit your sshd_config file and disable password authentication:
PasswordAuthentication no
7. Limit connections using TCPWrappers.
TCPWrappers are one of the best ways to secure your SSH Server by setting who can connect to which servers. ONLY use this if you have a static IP address with your local internet provider. If you use dynamic IPs and use Tcpwrappers, it will probably lock you out of your server.
Edit /etc/hosts.allow file and add this line to allow connections from your local network IP (replace “XX.XX.XX.XX” with your real public IP):
sshd : XX.XX.XX.XX
Then, at the /etc/hosts.deny file, deny all of the rest of the incoming SSH connections:
sshd : ALL
8. Limit SSH connections using a Firewall.
If you are using an iptables firewall like CSF, you can set a limit to the incoming SSH connections and how many times it will fail before it gets blocked:
Edit /etc/csf/csf.conf and set:
LF_SSHD = "5"
Restart the firewall to apply changes:
csf -r
9. Activate Port Knocking.
Port knocking is a security technique that relies on knocking pre-defined ports on the SSH Server in order to allow the establishment of the SSH connection from a remote host. Follow this tutorial to activate Port Knocking on your iptables rules: How to enable Port Knocking on CentOS
10. Integrate Google Authenticator.
2 factor authentication is here to stay. It’s widely used in web based logins, and you can also integrate 2 step authentication into your SSH logins. Check out these cool tutorials:
- For Ubuntu/Debian
- For CentOS/RHEL