Securing SSH (Secure Shell) access is crucial for protecting your Linux server from unauthorized login attempts and potential breaches. As SSH is commonly used for remote server management, it’s often targeted by attackers. By following these best practices, you can significantly enhance the security of your SSH access and safeguard your server.
1. Disable Root Login
By default, root access via SSH is enabled, which presents a high-security risk. Disabling root login forces users to log in with a less privileged account and then switch to root using sudo
. This helps prevent brute force attacks directly targeting the root account.
- To disable root login, edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
- Find the line
PermitRootLogin yes
and change it to:
PermitRootLogin no
- Save the changes and restart the SSH service:
sudo systemctl restart ssh
2. Use SSH Key Authentication
Password-based authentication is vulnerable to brute force attacks. Replacing it with SSH key-based authentication adds a stronger layer of security. SSH keys are cryptographic keys that provide a more secure login method.
- Generate an SSH key pair on your local machine:
ssh-keygen -t rsa
- Copy the public key to your server:
ssh-copy-id user@server_ip
- Once the key is installed, disable password authentication. Edit the
/etc/ssh/sshd_config
file:
PasswordAuthentication no
- Restart the SSH service:
sudo systemctl restart ssh
3. Change the Default SSH Port
Changing the default SSH port from 22
to a custom, non-standard port can reduce the number of automated attacks on your server. While this doesn’t provide complete protection, it adds an extra layer of obscurity.
- Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
- Locate the line
Port 22
and change it to a custom port (e.g.,2244
):
Port 2244
- After saving, restart the SSH service:
sudo systemctl restart ssh
Make sure to update your firewall rules to allow traffic on the new port.
4. Limit SSH Access by IP Address
Limiting SSH access to specific IP addresses or IP ranges prevents unauthorized users from even attempting to connect to your server. You can configure this restriction using your server’s firewall.
- For UFW (Uncomplicated Firewall), use:
sudo ufw allow from your_ip_address to any port 2244
- For iptables, the command would be:
sudo iptables -A INPUT -p tcp -s your_ip_address --dport 2244 -j ACCEPT
This approach is particularly useful for servers that are accessed from a consistent location, such as a corporate office or a trusted VPN.
5. Implement Fail2ban
Fail2ban is a useful security tool that automatically blocks IP addresses showing signs of malicious activity, such as multiple failed login attempts. This helps protect against brute force attacks.
- Install Fail2ban:
sudo apt-get install fail2ban
- Create a custom configuration file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Configure Fail2ban to monitor SSH attempts by adding or modifying the following section in
/etc/fail2ban/jail.local
:
[sshd]
enabled = true
port = 2244
logpath = /var/log/auth.log
maxretry = 5
- Restart the Fail2ban service:
sudo systemctl restart fail2ban
6. Use Two-Factor Authentication (2FA)
For additional security, you can enable two-factor authentication (2FA) for SSH access. This requires users to enter both their password (or SSH key) and a one-time code generated by a 2FA app, adding another layer of protection.
- Install Google Authenticator:
sudo apt-get install libpam-google-authenticator
- Configure 2FA for your user account by running:
google-authenticator
- Enable 2FA for SSH by editing the
/etc/pam.d/sshd
file and adding:
auth required pam_google_authenticator.so
- Also, update the
/etc/ssh/sshd_config
file by settingChallengeResponseAuthentication
toyes
and restarting the SSH service.
7. Set Up an Idle Timeout Interval
To reduce the risk of unauthorized access from an unattended session, configure an idle timeout. This ensures that if a session is left open and idle for too long, it will automatically be closed.
- In the SSH configuration file (
/etc/ssh/sshd_config
), add or modify these lines:
ClientAliveInterval 300
ClientAliveCountMax 0
This will terminate idle sessions after 5 minutes (300 seconds) of inactivity.
8. Disable SSH for Unnecessary Users
You can restrict SSH access to only necessary users, reducing the attack surface. To do this, add the AllowUsers
directive in the SSH configuration file, specifying the users allowed to access the server:
AllowUsers user1 user2
Restart SSH after making changes.
Conclusion
Securing your SSH access is an essential step in protecting your Linux server from unauthorized access and attacks. By disabling root login, using SSH keys, changing default ports, and implementing tools like Fail2ban and 2FA, you can significantly enhance your server’s security. Regularly review your server’s security settings to stay protected against evolving threats.
At Jashore Colo, we prioritize the security of your infrastructure. Whether you manage your own Linux servers or utilize our colocation services, we’re here to provide the tools and support you need to maintain a secure environment.
Traga
Collaboratively empower multifunctional e-commerce for prospective applications. Seamlessly productivate plug and play markets.
Traga
Collaboratively empower multifunctional e-commerce for prospective applications. Seamlessly plug and play.
Traga
Collaboratively empower multifunctional e-commerce for prospective applications. Seamlessly productivate plug and play mosque.