5 tips for securing SSH on your Linux servers
SSH is a tool I use every single day to log into remote Linux servers and take care of my admin tasks. Without SSH, my days would be more complicated and less secure. That doesn’t mean, however, that SSH is configured to your liking right out of the box. There are a few weaknesses in the default configuration and the way you’re probably using the tool.
Let’s fix that.
SEE: Linux turns 30: Celebrating the open source operating system (free PDF) (TechRepublic)
Here are my five most straightforward tips for securing SSH on your Linux machines. These tips shouldn’t take you more than five minutes to handle and, in the end, you’ll be glad you took the time to do so.
What you’ll need
The only things you’ll need for this are a running instance of Linux and a user with sudo privileges.
Tip 1: Change the default port
The first thing we’ll do is change the default port from 22, which is widely used in brute force and other attacks. To do this, open the SSH daemon configuration file with:
sudo nano /etc/ssh/sshd_config
In that file, look for:
#Port 22
Change that to something like:
Port 2124
Save and close the file. Restart the daemon with:
sudo systemctl restart sshd
Before you exit from this terminal, make sure you can reconnect to the server with another SSH instance, adding the -p 2124 (or whatever port you decide on) option at the end like so:
ssh 192.168.1.63 -p 2124
Tip 2: Disable X11/TCP port forwarding
Next, we’re going to disable X11 and TCP port forward because attackers can use this weakness to gain access to other systems on your network. To do this, re-open the daemon configuration file and look for the following two lines:
#AllowTcpForwarding yes
X11Forwarding yes
Change those lines to:
AllowTcpForwarding no
X11Forwarding no
Save and close the file.
We’ll hold off on restarting the SSH daemon until we’ve taken care of the other configurations.
Tip 3: Disable uses with blank passwords
Within the SSH daemon file, we want to prevent users with blank passwords from gaining access. You shouldn’t have to bother with this if you’ve set up a policy that disallows empty passwords, but it’s always better to be safe than sorry.
In the daemon configuration file, look for the line:
#PermitEmptyPasswords no
Change that line to:
PermitEmptyPasswords no
Save and close the file.
Since we’re done with the daemon configuration, restart the SSH daemon with:
sudo systemctl restart sshd
Tip 4: Restrict SSH logins to specific IPs
We’re now going to restrict all SSH logins to specific IP addresses. To do that, open the hosts.deny file with:
sudo nano /etc/hosts.deny
At the bottom of that file, add the following:
sshd: ALL
Save and close the file.
Next, open the hosts.allow file with:
sudo nano /etc/hosts.allow
At the bottom of that file, add a comma-separated line that includes all of the IP addresses you want to allow through like so:
sshd: 192.168.1.62, 192.168.1.11, 192.168.1.100
If you wanted to allow all machines on your LAN, you could use something like:
sshd: 192.168.1.0/24
Save and close the file.
Tip 5: Use SSH key authentication
This is one of the most important tips. Using SSH key authentication is much more secure than using standard passwords. So how do we set it up?
Simple. Generate an SSH key on a client you want to use to connect to the server with the command:
ssh-keygen -t rsa
Next, we copy the key to the server with:
ssh-copy-id SERVER
Where SERVER is the IP address of your server.
There is one caveat to this. If you’ve changed the default SSH port, you can’t use the ssh-copy-id command because it doesn’t accept arguments. Instead, you need to configure a host entry in ~/.ssh/config that looks like this:
Host NAME
HostName SERVER
Port PORT
Where:
- NAME is a human-readable name for the server.
- SERVER is the IP address of the server.
- PORT is the non-default port you’ve configured
Save and close the file. You can now copy that key (to the non-standard port configured SSH server) with something like:
ssh-copy-id NAME
Where NAME is the human-readable name given to the server in the configuration file.
After copying your SSH authentication key to the server, open a new terminal and make sure you can still connect to the server via SSH. If you can, make sure to copy the SSH keys from every client that needs access to the server and then disable password authentication by opening the daemon configuration file one more time with:
sudo nano /etc/ssh/sshd_config
Look for the line:
#PasswordAuthentication yes
Change that line to:
PasswordAuthentication no
Save and close the file and restart the SSH daemon with:
sudo systemctl restart sshd
Now, only those with SSH keys on the server will be able to log in.
And there you go. In about 5 minutes you’ve locked down SSH on your server. You should also install and configure fail2ban, but that will take you a bit longer than 5 minutes. Enjoy that added layer of security.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.