How to Secure SSH in Linux

In this article from the Security Tutorials, we want to teach you How to Secure SSH in Linux.

SSH stands for secure shell. it is the best way or better to say it is a designed protocol for establishing a secure connection between client and server. With the help of different protocols, we can send information from the client to the server.

For more information about SSH, you can check this article about what is SSH and what does it.

How to Secure SSH in Linux

It’s necessary to Secure your SSH server from unwanted data breaches and malicious attacks.

You can do this in different ways. here we will show you some of them.

Use a strong username and password

If you use an SSH that is displayed to the outside world, you will face some login attempts from hackers. Hackers use many different techniques to hack your SSH username and password.

To be safe from attackers, it’s recommended to choose a strong username and password. You can use the password generator to create a random strong password.

Change the default SSH port in Linux

The default port of the SSH connection is 22. you can change this port to be safe from attacks on the SSH server. To change the default 22 port, follow these steps:

First, open your /etc/ssh/sshd_config file.

Then, add the following line to the file. Run SSH on a non-standard port.

Port 30125

Next, you need to restart your SSHD service to apply the change with the following command:

sudo systemctl restart sshd 

At this point, the SSH default port is changed to another.

Disable the root logins in Linux

It’s recommended to disable root user login and use non-root user access instead for more security.

To do this log in to your server as a root user, then, open the /etc/ssh/sshd_config file.

Find the PermitRootLogin line and change it to:

PermitRootLogin no

After that, add a user account that you want to use to log in by writing ‘AllowUsers your_username’.

When you are finished, save and close the file.

Here you need to restart the SSHD service to apply the changes:

sudo systemctl restart sshd 

Next, open a new terminal and try to log in with the user that you have selected, and close the root session. you can use the ‘su’ command for the user that has the root privileges.

Use SSH keys instead of passwords

Instead of using a strong password, it’s better to use SSH keys to add an extra layer to your server security.

SSH key pairs are two cryptographically secure keys (private/public) that can be used to authenticate a client to an SSH server.

You can follow this article about How to generate SSH key pairs in Linux, to use them instead of passwords.

Disable Empty passwords

Linux allows users to create empty passwords and allowing empty password login to the server will display your server to vulnerable cyber attacks.

To disable empty passwords, open the sshd_config file. Then, find the PermitEmptyPasswords line and change it to:

PermitEmptyPasswords  no

To apply the change, restart SSHD:

sudo systemctl restart sshd 

Configure Idle Timeout Interval

You can set an idle timeout interval, to avoid having an unwanted SSH session.

Open your /etc/ssh/sshd_config file and add the following line to the file:

ClientAliveInterval 360 
ClientAliveCountMax 0

The idle timeout interval you just have set is in 360 seconds. After this time passed, the idle user will be automatically logged out.

Use SSH protocol 2 in Linux

SSH server has two protocols that it can use. Protocol 1 is older and less secure. but protocol 2 is newer and more secure.

Note: If you are looking for your server to become PCI compliant, then you must disable protocol 1.

To do this Open your /etc/ssh/sshd_config file, then, find the protocol line and uncomment it by removing “#” in it and changing it to:

Protocol 2

Then, restart the SSHD service to apply the change:

sudo systemctl restart sshd 

Allow only specific clients

You need to add a firewall rule to your router or update the Iptables so that your server can be reachable from only a specific IP address on port 22. You can use the following command:

iptables -A INPUT -p tcp -s YourIP --dport 22 -j ACCEPT

If you want to open an SSH server port globally, Iptables can prevent the attacks by logging in and blocking repeated attempts to log in from the same IP address.

To do this you can use the following command:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name ssh –rsource

The following rule verifies if that IP address has tried to connect three times or more within the last 90 seconds. If it hasn’t, then the packet is accepted (this rule would need a default policy of DROP on the input chain).

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent ! --rcheck --seconds 90 --hitcount 3 --name ssh --rsource -j ACCEPT

Filtering at the firewall is a useful method to secure an SSH server in Linux.

Conclusion

At this point, you learn different ways to Secure an SSH server.

I hope you enjoy this article about How to Secure SSH in Linux and stay safe.

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!