Jump to content

Secure SSH Configuration

Jessica Brown
Jessica Brown
in Server Administration

Featured Replies

Posted

You are reading Part 10 of the 57-part series: Harden and Secure Linux Servers. [Level 1]

This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.

To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.

The SSH service (Secure Shell) is a critical entry point for remote server management, but leaving default settings unchanged makes it vulnerable to brute-force attacks, unauthorized access, and exploits. Configuring SSH properly helps harden your server by limiting login options and restricting access to trusted users.

How to Secure SSH Configuration

  1. Open the SSH configuration file:

    sudo nano /etc/ssh/sshd_config

  2. Modify the following settings to improve security:

    Port 2222                  # Change the default SSH port
PasswordAuthentication no   # Disable password login (use SSH keys instead)
Protocol 2                  # Use SSH protocol 2 only (more secure)

    • Change the default SSH port (e.g., from 22 to 2222) to make brute-force attacks less likely.

    • Disable password authentication to enforce SSH key-based login.

    • Ensure SSH Protocol 2 is used, as Protocol 1 has known vulnerabilities.

  3. Save and close the file.

  4. Restart SSH to apply the changes:

    sudo systemctl restart sshd

Additional SSH Security Enhancements

✅ Limit SSH access to specific users:

  • Add the following line to /etc/ssh/sshd_config:

    AllowUsers yourusername

  • Replace yourusername with your actual SSH username to restrict access to only approved users.

✅ Enable SSH Rate Limiting with Fail2Ban:

  • If Fail2Ban is installed, configure SSH protection in /etc/fail2ban/jail.conf:

    [sshd]
enabled = true
maxretry = 5
bantime = 3600

(Blocks IPs after 5 failed login attempts for one hour.)

✅ Disable root login:

  • Ensure this line is set in /etc/ssh/sshd_config:

    PermitRootLogin no

✅ Restrict SSH access to trusted IP addresses (optional but highly recommended):

  • Edit firewall rules to allow SSH only from specific IPs:

    sudo ufw allow from your_trusted_ip to any port 2222

  • Replace your_trusted_ip with your actual IP address.

Best Practices for SSH Security:

🔹 Use key-based authentication instead of passwords for SSH access.
🔹 Change the SSH port to a non-standard number (above 1024 but below 65535).
🔹 Monitor SSH login attempts with sudo cat /var/log/auth.log | grep "sshd".
🔹 Use multi-factor authentication (MFA) for added security (e.g., Google Authenticator).

By securing SSH configurations, you reduce attack risks, prevent brute-force login attempts, and enhance overall server security.

  • Quote
    • Views 87
    • Created
    • Last Reply

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    Terms of Use Privacy Policy Guidelines We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.