5 tips for securing SSH on your Linux servers


Image: pixeltrap/Adobe Stock

SSH is a tool I use every single day to log into remote Linux servers and take care of my admin tasks. Without SSH, my days would be more complicated and less secure. That doesn’t mean, however, that SSH is configured to your liking right out of the box. There are a few weaknesses in the default configuration and the way you’re probably using the tool.

Let’s fix that.

SEE: Linux turns 30: Celebrating the open source operating system (free PDF) (TechRepublic)

Here are my five most straightforward tips for securing SSH on your Linux machines. These tips shouldn’t take you more than five minutes to handle and, in the end, you’ll be glad you took the time to do so.

What you’ll need

The only things you’ll need for this are a running instance of Linux and a user with sudo privileges.

Tip 1: Change the default port

The first thing we’ll do is change the default port from 22, which is widely used in brute force and other attacks. To do this, open the SSH daemon configuration file with:

sudo nano /etc/ssh/sshd_config

In that file, look for:

#Port 22

Change that to something like:

Port 2124

Save and close the file. Restart the daemon with:

sudo systemctl restart sshd

Before you exit from this terminal, make sure you can reconnect to the server with another SSH instance, adding the -p 2124 (or whatever port you decide on) option at the end like so:

ssh 192.168.1.63 -p 2124

Tip 2: Disable X11/TCP port forwarding

Next, we’re going to disable X11 and TCP port forward because attackers can use this weakness to gain access to other systems on your network. To do this, re-open the daemon configuration file and look for the following two lines:

#AllowTcpForwarding yes
X11Forwarding yes

Change those lines to:

AllowTcpForwarding no
X11Forwarding no

Save and close the file.

We’ll hold off on restarting the SSH daemon until we’ve taken care of the other configurations.

Tip 3: Disable uses with blank passwords

Within the SSH daemon file, we want to prevent users with blank passwords from gaining access. You shouldn’t have to bother with this if you’ve set up a policy that disallows empty passwords, but it’s always better to be safe than sorry.

In the daemon configuration file, look for the line:

#PermitEmptyPasswords no

Change that line to:

PermitEmptyPasswords no

Save and close the file.

Since we’re done with the daemon configuration, restart the SSH daemon with:

sudo systemctl restart sshd

Tip 4: Restrict SSH logins to specific IPs

We’re now going to restrict all SSH logins to specific IP addresses. To do that, open the hosts.deny file with:

sudo nano /etc/hosts.deny

At the bottom of that file, add the following:

sshd: ALL

Save and close the file.

Next, open the hosts.allow file with:

sudo nano /etc/hosts.allow

At the bottom of that file, add a comma-separated line that includes all of the IP addresses you want to allow through like so:

sshd: 192.168.1.62, 192.168.1.11, 192.168.1.100

If you wanted to allow all machines on your LAN, you could use something like:

sshd: 192.168.1.0/24

Save and close the file.

Tip 5: Use SSH key authentication

This is one of the most important tips. Using SSH key authentication is much more secure than using standard passwords. So how do we set it up?

Simple. Generate an SSH key on a client you want to use to connect to the server with the command:

ssh-keygen -t rsa

Next, we copy the key to the server with:

ssh-copy-id SERVER

Where SERVER is the IP address of your server.

There is one caveat to this. If you’ve changed the default SSH port, you can’t use the ssh-copy-id command because it doesn’t accept arguments. Instead, you need to configure a host entry in ~/.ssh/config that looks like this:

Host NAME
HostName SERVER
Port PORT

Where:

  • NAME is a human-readable name for the server.
  • SERVER is the IP address of the server.
  • PORT is the non-default port you’ve configured

Save and close the file. You can now copy that key (to the non-standard port configured SSH server) with something like:

ssh-copy-id NAME

Where NAME is the human-readable name given to the server in the configuration file.

After copying your SSH authentication key to the server, open a new terminal and make sure you can still connect to the server via SSH. If you can, make sure to copy the SSH keys from every client that needs access to the server and then disable password authentication by opening the daemon configuration file one more time with:

sudo nano /etc/ssh/sshd_config

Look for the line:

#PasswordAuthentication yes

Change that line to:

PasswordAuthentication no

Save and close the file and restart the SSH daemon with:

sudo systemctl restart sshd

Now, only those with SSH keys on the server will be able to log in.

And there you go. In about 5 minutes you’ve locked down SSH on your server. You should also install and configure fail2ban, but that will take you a bit longer than 5 minutes. Enjoy that added layer of security.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.



Source link