How to Secure SSH?
SSH stands for Secure Shell. The term “SSH” refers to either the SSH protocol or the software tools that enable system administrators and users to establish secure connections to distant systems through that protocol. It is an encrypted protocol for establishing a secure connection over an unsecured network, such as the internet. An SSH server will listen for incoming connections on tcp port 22 by default. Hackers and malicious bots target this port because it is a standardized, well-known port.
In this article, I will introduce you to some important security practices which will help you to increase the level of security in your SSH server.
Use SSH Keys for Authentication
To add an SSH key pair, first, create a hidden folder to your user account home directory on your cloud server with the following command.
mkdir -p ~/.ssh
chmod 700 ~/.ssh
However, because the keys are kept in your user’s home directory, each user who wants to utilize SSH keys for authentication must repeat these procedures on their own profile.
1. Generate A Key Pair
$ ssh-keygen -t ed25519 -C "firstname.lastname@example.org"
The choice is between RSA 2048/4096 and Ed25519 and the trade-off is between performance and compatibility. RSA is universally supported among SSH clients while EdDSA performs much faster and provides the same level of security with significantly smaller keys.
2. Copy the pair to server
$ ssh-copy-id -i ~/.ssh/id_ed25519.pub test@A.B.C.D
When asked, type your SSH server user account password. You may now use the key pair to access to your server.
Secure sshd Config
Use your favourite text editor and change the configuration under the file. We change all the configurations in the one file i.e /etc/ssh/sshd_config
Change SSH Port
The standard port for SSH connections is 22. Using a different port gives a layer of protection to your system through obscurity.
Disable Password Authentication
After you have copied your public key to the server, your next step is to disable the password authentication for security.
Reject Connection Requests With No Password
The default settings for SSH to accept connection requests is without passwords. We can change that and ensure all the connections are authenticated in the same file
Enable New Protocol
Version 2 is not backward compatible with version 1 because to the numerous modifications and enhancements, particularly in the areas of encryption and security. You can specify that your computer will only accept connections from version 2 clients to block connections from version 1 clients.
Disable Root Login
The first thing to configure to secure the SSH Server is by disabling the root login to the server. Root is the superuser account in Linux and Unix which needs to be secured and has the highest access rights on the system.
Disable X11 Forwarding
Over an SSH session, X11 forwarding allows remote users to execute graphical apps from your server. A GUI interface can help a hackers or malicious user accomplish their nefarious goals.
Disable Any Types of Forwarding
- AllowTcpForwarding Specifies whether TCP forwarding is permitted.
- GatewayPorts prevents connecting to forwarded ports from outside the server computer.
- PermitTunnel is for tunnel devices, which are like virtual network interfaces. They can be used e.g. for VPN connections via SSH, so all traffic to the target network is routed via the tunnel.
- AllowStreamLocalForwarding allows Unix domain sockets to be forwarded. We need to disable all the options in order to secure the server.
This is how my current configurations stands.
Under authentication, change the modes of authentication of Maximum authentication Tries and Maximum Sessions to the following.
Restart sshd server
Once all the configuration changes has taken place, save your changes and restart the ssh daemon.
$ sudo systemctl restart sshd