> ## Documentation Index
> Fetch the complete documentation index at: https://docs.edisglobal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SSH Security Hardening Guide

> Essential SSH hardening practices for your VPS: change default ports, enable key authentication and 2FA, restrict root access, and monitor SSH login logs.

## SSH security hardening guide

## Strengthening SSH security

Secure Shell (SSH) is a fundamental tool for server management, providing encrypted communication for remote access. However, it’s also a common target for cyberattacks. Implementing basic SSH security measures is essential to protect your server from unauthorized access and brute-force attacks.

This guide begins with foundational security practices and progresses to advanced techniques for a comprehensive approach to hardening your SSH setup. Whether you’re a beginner or an experienced administrator, this guide will help you secure your server effectively.

## Basic SSH security measures

For those just starting, here are a few simple yet crucial steps to secure your SSH connection:

**Change the Default SSH Port**:

* By default, SSH listens on port 22, a known target for attackers. Changing it to a non-standard port reduces the likelihood of brute-force attacks.
  **Disable Root Login**:

* Direct root access is a significant risk. Use a regular user account with sudo privileges instead.
  **Enable SSH Key Authentication**:

* Replace password-based logins with SSH keys for enhanced security. This method ensures only users with the private key can access the server.
  **Limit Failed Login Attempts**:

* Install tools like Fail2Ban to block IP addresses after a set number of unsuccessful login attempts.
  **Keep Your System Updated**:

* Regularly update your server and SSH software to patch vulnerabilities and improve overall security.

By starting with these basic practices, you’ll lay a strong foundation for SSH security. The following sections will build on these principles with advanced strategies to further harden your server against sophisticated threats.

## 1. Change the default SSH port

The default SSH port (port 22) is one of the primary targets for brute-force attacks. Changing the port can be the first step to improving security.

Steps:

**Edit the SSH configuration file:**

`sudo nano /etc/ssh/sshd_config`

**Find the line Port 22 and change it to a different port (e.g., 2222):**

` Port 2222`

**Restart SSH to apply the changes:**

` sudo systemctl restart sshd`

**Before disconnecting, check if the new port is open:**

```bash theme={"system"}
sudo ufw allow 2222/tcp
sudo ufw enable
```

## 2. Use SSH key authentication instead of passwords

SSH key authentication is much more secure than using passwords, as it prevents brute-force attacks.

Steps:

**Generate an SSH key pair (if you don't already have one):**

` ssh-keygen -t rsa -b 4096`

**Copy the public key to the server:**

` ssh-copy-id user@your_server_ip`

**Disable password authentication in the SSH config file:**

` sudo nano /etc/ssh/sshd_config`

**Set the following:**

` PasswordAuthentication no`

**Restart SSH:**

` sudo systemctl restart sshd`

## 3. Install and configure Fail2Ban to prevent brute force attacks

**Fail2Ban** is a tool that detects brute-force attacks and blocks suspicious IP addresses.

Steps:

**Install Fail2Ban:**

` sudo apt-get install fail2ban`

**Configure Fail2Ban for SSH:**

* Edit the jail.local file:

`sudo nano /etc/fail2ban/jail.local`

* Add or edit the \[sshd] section as follows:

```bash theme={"system"}
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
```

* Set the correct port for SSH (e.g., 2222).

**Restart Fail2Ban:**

` sudo systemctl restart fail2ban`

**Check Fail2Ban status:**

` sudo fail2ban-client status sshd`

## 4. Disable root login via SSH

Allowing root login via SSH is a security risk. It's better to disable root login and use a regular user account with sudo privileges.

Steps:

**Edit the SSH config file:**

` sudo nano /etc/ssh/sshd_config`

**Find the PermitRootLogin line and set it to no:**

` PermitRootLogin no`

**Restart SSH:**

` sudo systemctl restart sshd`

## 5. Enable Two-Factor authentication (2FA) for SSH

Adding two-factor authentication (2FA) to SSH adds an extra layer of security. Even if an attacker guesses your password, they will need an additional code to log in.

Steps:

**Install pam\_google\_authenticator:**

` sudo apt-get install libpam-google-authenticator`

**Run google-authenticator for each user:**

` google-authenticator`

**Edit the PAM configuration file for SSH:**

` sudo nano /etc/pam.d/sshd`

**Add the following line at the end:**

` auth required pam_google_authenticator.so`

**Then, edit the SSH config file to enable 2FA:**

` sudo nano /etc/ssh/sshd_config`

**Set the following:**

` ChallengeResponseAuthentication yes`

**Restart SSH:**

` sudo systemctl restart sshd`

## 6. Restrict SSH access to specific IP addresses

Limiting SSH access to specific IP addresses greatly improves security.

Steps:

**Use iptables to allow SSH access only from a specific IP address:**

```bash theme={"system"}
sudo iptables -A INPUT -p tcp -s YOUR_TRUSTED_IP --dport 2222 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2222 -j DROP
```

**To make iptables rules persistent:**

` sudo apt-get install iptables-persistent`

## 7. Monitor SSH logs and status

Regularly checking SSH logs and monitoring the status can help you detect any suspicious activity.

Steps:

**Check SSH logs:**

` sudo tail -f /var/log/auth.log`

**Use logwatch for enhanced monitoring:**

```bash theme={"system"}
sudo apt-get install logwatch
sudo logwatch --detail High --service sshd --range today
```

## 8. Use security tools to scan for threats

Tools like **Lynis** and **RKHunter** can help detect security vulnerabilities and threats.

Steps:

**Install Lynis:**

```bash theme={"system"}
sudo apt-get install lynis
sudo lynis audit system
```

**Install RKHunter:**

```bash theme={"system"}
sudo apt-get install rkhunter
sudo rkhunter --check
```

## 9. Limit SSH authentication retries

Limiting the number of failed SSH login attempts can prevent brute-force attacks.

Steps:

**Edit the sshd\_config file:**

` sudo nano /etc/ssh/sshd_config`

**Set the following:**

` MaxAuthTries 3`

**Restart SSH:**

` sudo systemctl restart sshd`

## 10. Use SSH key agent

To avoid repeatedly entering passwords or SSH keys when connecting, you can use **SSH Key Agent**, which automatically loads your SSH keys.

Steps:

**Add your SSH keys to the agent:**

```bash theme={"system"}
eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa
```

By following these steps, you can significantly improve the security of your SSH connections and protect your server from unauthorized access.
