Learn essential SSH security hardening practices to safeguard your server. Explore key steps like changing default ports, enabling 2FA, restricting access, and monitoring logs.
sudo nano /etc/ssh/sshd_config
Find the line Port 22 and change it to a different port (e.g., 2222):
Port 2222
Restart SSH to apply the changes:
sudo systemctl restart sshd
Before disconnecting, check if the new port is open:
ssh-keygen -t rsa -b 4096
Copy the public key to the server:
ssh-copy-id user@your_server_ip
Disable password authentication in the SSH config file:
sudo nano /etc/ssh/sshd_config
Set the following:
PasswordAuthentication no
Restart SSH:
sudo systemctl restart sshd
sudo apt-get install fail2ban
Configure Fail2Ban for SSH:
sudo nano /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
Check Fail2Ban status:
sudo fail2ban-client status sshd
sudo nano /etc/ssh/sshd_config
Find the PermitRootLogin line and set it to no:
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
sudo apt-get install libpam-google-authenticator
Run google-authenticator for each user:
google-authenticator
Edit the PAM configuration file for SSH:
sudo nano /etc/pam.d/sshd
Add the following line at the end:
auth required pam_google_authenticator.so
Then, edit the SSH config file to enable 2FA:
sudo nano /etc/ssh/sshd_config
Set the following:
ChallengeResponseAuthentication yes
Restart SSH:
sudo systemctl restart sshd
sudo apt-get install iptables-persistent
sudo tail -f /var/log/auth.log
Use logwatch for enhanced monitoring:
sudo nano /etc/ssh/sshd_config
Set the following:
MaxAuthTries 3
Restart SSH:
sudo systemctl restart sshd