LRISP

How to Secure Your SSH Access: Best Practices for Enhanced Server Protection

  • Home
  • Colocation
  • How to Secure Your SSH Access: Best Practices for Enhanced Server Protection

Securing SSH (Secure Shell) access is crucial for protecting your Linux server from unauthorized login attempts and potential breaches. As SSH is commonly used for remote server management, it’s often targeted by attackers. By following these best practices, you can significantly enhance the security of your SSH access and safeguard your server.

1. Disable Root Login

By default, root access via SSH is enabled, which presents a high-security risk. Disabling root login forces users to log in with a less privileged account and then switch to root using sudo. This helps prevent brute force attacks directly targeting the root account.

  • To disable root login, edit the SSH configuration file:
  sudo nano /etc/ssh/sshd_config
  • Find the line PermitRootLogin yes and change it to:
  PermitRootLogin no
  • Save the changes and restart the SSH service:
  sudo systemctl restart ssh

2. Use SSH Key Authentication

Password-based authentication is vulnerable to brute force attacks. Replacing it with SSH key-based authentication adds a stronger layer of security. SSH keys are cryptographic keys that provide a more secure login method.

  • Generate an SSH key pair on your local machine:
  ssh-keygen -t rsa
  • Copy the public key to your server:
  ssh-copy-id user@server_ip
  • Once the key is installed, disable password authentication. Edit the /etc/ssh/sshd_config file:
  PasswordAuthentication no
  • Restart the SSH service:
  sudo systemctl restart ssh

3. Change the Default SSH Port

Changing the default SSH port from 22 to a custom, non-standard port can reduce the number of automated attacks on your server. While this doesn’t provide complete protection, it adds an extra layer of obscurity.

  • Edit the SSH configuration file:
  sudo nano /etc/ssh/sshd_config
  • Locate the line Port 22 and change it to a custom port (e.g., 2244):
  Port 2244
  • After saving, restart the SSH service:
  sudo systemctl restart ssh

Make sure to update your firewall rules to allow traffic on the new port.

4. Limit SSH Access by IP Address

Limiting SSH access to specific IP addresses or IP ranges prevents unauthorized users from even attempting to connect to your server. You can configure this restriction using your server’s firewall.

  • For UFW (Uncomplicated Firewall), use:
  sudo ufw allow from your_ip_address to any port 2244
  • For iptables, the command would be:
  sudo iptables -A INPUT -p tcp -s your_ip_address --dport 2244 -j ACCEPT

This approach is particularly useful for servers that are accessed from a consistent location, such as a corporate office or a trusted VPN.

5. Implement Fail2ban

Fail2ban is a useful security tool that automatically blocks IP addresses showing signs of malicious activity, such as multiple failed login attempts. This helps protect against brute force attacks.

  • Install Fail2ban:
  sudo apt-get install fail2ban
  • Create a custom configuration file:
  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Configure Fail2ban to monitor SSH attempts by adding or modifying the following section in /etc/fail2ban/jail.local:
  [sshd]
  enabled = true
  port = 2244
  logpath = /var/log/auth.log
  maxretry = 5
  • Restart the Fail2ban service:
  sudo systemctl restart fail2ban

6. Use Two-Factor Authentication (2FA)

For additional security, you can enable two-factor authentication (2FA) for SSH access. This requires users to enter both their password (or SSH key) and a one-time code generated by a 2FA app, adding another layer of protection.

  • Install Google Authenticator:
  sudo apt-get install libpam-google-authenticator
  • Configure 2FA for your user account by running:
  google-authenticator
  • Enable 2FA for SSH by editing the /etc/pam.d/sshd file and adding:
  auth required pam_google_authenticator.so
  • Also, update the /etc/ssh/sshd_config file by setting ChallengeResponseAuthentication to yes and restarting the SSH service.

7. Set Up an Idle Timeout Interval

To reduce the risk of unauthorized access from an unattended session, configure an idle timeout. This ensures that if a session is left open and idle for too long, it will automatically be closed.

  • In the SSH configuration file (/etc/ssh/sshd_config), add or modify these lines:
  ClientAliveInterval 300
  ClientAliveCountMax 0

This will terminate idle sessions after 5 minutes (300 seconds) of inactivity.

8. Disable SSH for Unnecessary Users

You can restrict SSH access to only necessary users, reducing the attack surface. To do this, add the AllowUsers directive in the SSH configuration file, specifying the users allowed to access the server:

AllowUsers user1 user2

Restart SSH after making changes.

Conclusion

Securing your SSH access is an essential step in protecting your Linux server from unauthorized access and attacks. By disabling root login, using SSH keys, changing default ports, and implementing tools like Fail2ban and 2FA, you can significantly enhance your server’s security. Regularly review your server’s security settings to stay protected against evolving threats.

At Jashore Colo, we prioritize the security of your infrastructure. Whether you manage your own Linux servers or utilize our colocation services, we’re here to provide the tools and support you need to maintain a secure environment.


Comments (3)

  • February 13, 2023

    Traga

    Collaboratively empower multifunctional e-commerce for prospective applications. Seamlessly productivate plug and play markets.

    • February 13, 2023

      Traga

      Collaboratively empower multifunctional e-commerce for prospective applications. Seamlessly plug and play.

  • February 13, 2023

    Traga

    Collaboratively empower multifunctional e-commerce for prospective applications. Seamlessly productivate plug and play mosque.

Leave A Comment

Your email address will not be published. Required fields are marked *