virtualizor_logo
Virtualizor
Get Virtualizor
Secure SSH on Linux
Chirag
September 1, 2024
knowledgebase Tutorial

Securing an SSH connection on Linux involves several steps to enhance the security of your server and protect against unauthorized access. Here are some best practices:

Change the Default SSH Port

By default, SSH runs on port 22. Changing it to a non-standard port can help reduce automated attacks.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line:

#Port 22

Uncomment it and change `22` to a different port number, e.g. `2222`:

Port 2222

Restart the SSH service:

sudo systemctl restart sshd

Use Strong Password Authentication

Ensure that users have strong passwords to protect against brute-force attacks.

Set password policies:

sudo nano /etc/security/pwquality.conf

Set password policies:

minlen = 12
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Disable Root Login

Disable root login to prevent attackers from gaining root access directly.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the line:

PermitRootLogin yes

Find the line:

PermitRootLogin no

Find the line:

sudo systemctl restart sshd

Use SSH Key-Based Authentication

Key-based authentication is more secure than password-based authentication.

Generate a key pair on the client machine:

ssh-keygen -t rsa -b 4096

Generate a key pair on the client machine:

ssh-copy-id user@server_ip

Ensure the `~/.ssh/authorized_keys` file on the server has the correct permissions:

chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

Disable Password Authentication

After setting up key-based authentication, disable password authentication.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find the lines:

#PasswordAuthentication yes
Uncomment it and change `yes` to `no`:
PasswordAuthentication no
Uncomment it and change `yes` to `no`:
sudo systemctl restart sshd

Limit User Logins

Restrict SSH access to specific users or groups.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Edit the SSH configuration file:

AllowUsers user1 user2

Or for groups:

AllowGroups sshusers

Or for groups:

sudo systemctl restart sshd

Use a Firewall

Set up a firewall to allow only specific IP addresses to connect to your SSH port.

Set up a firewall to allow only specific IP addresses to connect to your SSH port.

sudo ufw allow 2222/tcp
sudo ufw enable

For `iptables`:

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

Install and Configure Fail2Ban

Fail2Ban helps protect against brute-force attacks by banning IPs with multiple failed login attempts.

Fail2Ban helps protect against brute-force attacks by banning IPs with multiple failed login attempts.

sudo apt-get install fail2ban

Fail2Ban helps protect against brute-force attacks by banning IPs with multiple failed login attempts.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Fail2Ban helps protect against brute-force attacks by banning IPs with multiple failed login attempts.

sudo nano /etc/fail2ban/jail.local

Find the `[sshd]` section and ensure it's enabled:

[sshd]
enabled = true
port = 2222

Find the `[sshd]` section and ensure it's enabled:

sudo systemctl restart fail2ban

Enable Two-Factor Authentication (2FA)

For an added layer of security, enable 2FA for SSH logins.

Install Google Authenticator:

sudo apt-get install libpam-google-authenticator

Install Google Authenticator:

google-authenticator

Install Google Authenticator:

sudo nano /etc/pam.d/sshd

Install Google Authenticator:

auth required pam_google_authenticator.so

Install Google Authenticator:

sudo nano /etc/ssh/sshd_config

Install Google Authenticator:

ChallengeResponseAuthentication yes

Restart the SSH service:

sudo systemctl restart sshd

Monitor SSH Logs

Restart the SSH service:

Restart the SSH service:

sudo tail -f /var/log/auth.log

Restart the SSH service:

Share on Facebook
Share on Twitter
Open Modal Box
Newsletter Subscription
Subscribing you to the mailing list