SSH Security Hardening Guide
Secure Shell (SSH) is a fundamental tool for server management, providing encrypted communication for remote access. However, it’s also a common target for cyberattacks. Implementing basic SSH security measures is essential to protect your server from unauthorized access and brute-force attacks.
This guide begins with foundational security practices and progresses to advanced techniques for a comprehensive approach to hardening your SSH setup. Whether you’re a beginner or an experienced administrator, this guide will help you secure your server effectively.
For those just starting, here are a few simple yet crucial steps to secure your SSH connection:
- Change the Default SSH Port:
- By default, SSH listens on port 22, a known target for attackers. Changing it to a non-standard port reduces the likelihood of brute-force attacks.
- Disable Root Login:
- Direct root access is a significant risk. Use a regular user account with sudoprivileges instead.
- Enable SSH Key Authentication:
- Replace password-based logins with SSH keys for enhanced security. This method ensures only users with the private key can access the server.
- Limit Failed Login Attempts:
- Install tools like Fail2Ban to block IP addresses after a set number of unsuccessful login attempts.
- Keep Your System Updated:
- Regularly update your server and SSH software to patch vulnerabilities and improve overall security.
By starting with these basic practices, you’ll lay a strong foundation for SSH security. The following sections will build on these principles with advanced strategies to further harden your server against sophisticated threats.
The default SSH port (port 22) is one of the primary targets for brute-force attacks. Changing the port can be the first step to improving security.
Edit the SSH configuration file:
Find the line Port 22 and change it to a different port (e.g., 2222):
Restart SSH to apply the changes:
Before disconnecting, check if the new port is open:
SSH key authentication is much more secure than using passwords, as it prevents brute-force attacks.
Generate an SSH key pair (if you don't already have one):
Copy the public key to the server:
Disable password authentication in the SSH config file:
Set the following:
Restart SSH:
Fail2Ban is a tool that detects brute-force attacks and blocks suspicious IP addresses.
Install Fail2Ban:
Configure Fail2Ban for SSH:
- Edit the jail.local file:
- Add or edit the [sshd] section as follows:
- Set the correct port for SSH (e.g., 2222).
Restart Fail2Ban:
Check Fail2Ban status:
Allowing root login via SSH is a security risk. It's better to disable root login and use a regular user account with sudo privileges.
Edit the SSH config file:
Find the PermitRootLogin line and set it to no:
Restart SSH:
Adding two-factor authentication (2FA) to SSH adds an extra layer of security. Even if an attacker guesses your password, they will need an additional code to log in.
Install pam_google_authenticator:
Run google-authenticator for each user:
Edit the PAM configuration file for SSH:
Add the following line at the end:
Then, edit the SSH config file to enable 2FA:
Set the following:
Restart SSH:
Limiting SSH access to specific IP addresses greatly improves security.
Use iptables to allow SSH access only from a specific IP address:
To make iptables rules persistent:
Regularly checking SSH logs and monitoring the status can help you detect any suspicious activity.
Check SSH logs:
Use logwatch for enhanced monitoring:
Tools like Lynis and RKHunter can help detect security vulnerabilities and threats.
Install Lynis:
Install RKHunter:
Limiting the number of failed SSH login attempts can prevent brute-force attacks.
Edit the sshd_config file:
Set the following:
Restart SSH:
To avoid repeatedly entering passwords or SSH keys when connecting, you can use SSH Key Agent, which automatically loads your SSH keys.
Add your SSH keys to the agent:
By following these steps, you can significantly improve the security of your SSH connections and protect your server from unauthorized access.
