SSH Security Hardening Guide

Strengthening SSH Security

Secure Shell (SSH) is a fundamental tool for server management, providing encrypted communication for remote access. However, it’s also a common target for cyberattacks. Implementing basic SSH security measures is essential to protect your server from unauthorized access and brute-force attacks. This guide begins with foundational security practices and progresses to advanced techniques for a comprehensive approach to hardening your SSH setup. Whether you’re a beginner or an experienced administrator, this guide will help you secure your server effectively.

Basic SSH Security Measures

For those just starting, here are a few simple yet crucial steps to secure your SSH connection: Change the Default SSH Port:
  • By default, SSH listens on port 22, a known target for attackers. Changing it to a non-standard port reduces the likelihood of brute-force attacks. Disable Root Login:
  • Direct root access is a significant risk. Use a regular user account with sudoprivileges instead. Enable SSH Key Authentication:
  • Replace password-based logins with SSH keys for enhanced security. This method ensures only users with the private key can access the server. Limit Failed Login Attempts:
  • Install tools like Fail2Ban to block IP addresses after a set number of unsuccessful login attempts. Keep Your System Updated:
  • Regularly update your server and SSH software to patch vulnerabilities and improve overall security.
By starting with these basic practices, you’ll lay a strong foundation for SSH security. The following sections will build on these principles with advanced strategies to further harden your server against sophisticated threats.

1. Change the Default SSH Port

The default SSH port (port 22) is one of the primary targets for brute-force attacks. Changing the port can be the first step to improving security. Steps: Edit the SSH configuration file: sudo nano /etc/ssh/sshd_config Find the line Port 22 and change it to a different port (e.g., 2222): Port 2222 Restart SSH to apply the changes: sudo systemctl restart sshd Before disconnecting, check if the new port is open: 
sudo ufw allow 2222/tcp
sudo ufw enable

2. Use SSH Key Authentication Instead of Passwords

SSH key authentication is much more secure than using passwords, as it prevents brute-force attacks. Steps: Generate an SSH key pair (if you don’t already have one): ssh-keygen -t rsa -b 4096 Copy the public key to the server: ssh-copy-id user@your_server_ip Disable password authentication in the SSH config file: sudo nano /etc/ssh/sshd_config Set the following: PasswordAuthentication no Restart SSH: sudo systemctl restart sshd

3. Install and Configure Fail2Ban to Prevent Brute Force Attacks

Fail2Ban is a tool that detects brute-force attacks and blocks suspicious IP addresses. Steps: Install Fail2Ban: sudo apt-get install fail2ban Configure Fail2Ban for SSH:
  • Edit the jail.local file:
sudo nano /etc/fail2ban/jail.local
  • Add or edit the [sshd] section as follows:
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
  • Set the correct port for SSH (e.g., 2222).
Restart Fail2Ban: sudo systemctl restart fail2ban Check Fail2Ban status: sudo fail2ban-client status sshd

4. Disable Root Login via SSH

Allowing root login via SSH is a security risk. It’s better to disable root login and use a regular user account with sudo privileges. Steps: Edit the SSH config file: sudo nano /etc/ssh/sshd_config Find the PermitRootLogin line and set it to no: PermitRootLogin no Restart SSH: sudo systemctl restart sshd

5. Enable Two-Factor Authentication (2FA) for SSH

Adding two-factor authentication (2FA) to SSH adds an extra layer of security. Even if an attacker guesses your password, they will need an additional code to log in. Steps: Install pam_google_authenticator: sudo apt-get install libpam-google-authenticator Run google-authenticator for each user: google-authenticator Edit the PAM configuration file for SSH: sudo nano /etc/pam.d/sshd Add the following line at the end: auth required pam_google_authenticator.so Then, edit the SSH config file to enable 2FA: sudo nano /etc/ssh/sshd_config Set the following: ChallengeResponseAuthentication yes Restart SSH: sudo systemctl restart sshd

6. Restrict SSH Access to Specific IP Addresses

Limiting SSH access to specific IP addresses greatly improves security. Steps: Use iptables to allow SSH access only from a specific IP address: 
sudo iptables -A INPUT -p tcp -s YOUR_TRUSTED_IP --dport 2222 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 2222 -j DROP
To make iptables rules persistent: sudo apt-get install iptables-persistent

7. Monitor SSH Logs and Status

Regularly checking SSH logs and monitoring the status can help you detect any suspicious activity. Steps: Check SSH logs: sudo tail -f /var/log/auth.log Use logwatch for enhanced monitoring: 
sudo apt-get install logwatch
sudo logwatch --detail High --service sshd --range today

8. Use Security Tools to Scan for Threats

Tools like Lynis and RKHunter can help detect security vulnerabilities and threats. Steps: Install Lynis: 
sudo apt-get install lynis
sudo lynis audit system
Install RKHunter: 
sudo apt-get install rkhunter
sudo rkhunter --check

9. Limit SSH Authentication Retries

Limiting the number of failed SSH login attempts can prevent brute-force attacks. Steps: Edit the sshd_config file: sudo nano /etc/ssh/sshd_config Set the following: MaxAuthTries 3 Restart SSH: sudo systemctl restart sshd

10. Use SSH Key Agent

To avoid repeatedly entering passwords or SSH keys when connecting, you can use SSH Key Agent, which automatically loads your SSH keys. Steps: Add your SSH keys to the agent: 
eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa
By following these steps, you can significantly improve the security of your SSH connections and protect your server from unauthorized access.