SSH is a widely-used protocol used for accessing Linux servers securely. Most users use SSH connections with default settings to connect to a remote server. However, the unsecured default configurations also pose various security risks.
The root account of a server with open SSH access may be at risk. And especially if you are using a public IP address, it is much easier to hack the root password. Therefore, it is necessary to have knowledge about SSH security.
Here’s how you can secure your SSH server connections on Linux.
1. Disable Root User Logins
For this, first, disable the root user’s SSH access and create a new user with root privileges. Turning off server access for the root user is a defense strategy that prevents attackers from achieving their goal of intruding into the system. For example, you can create a user named exampleroot as follows:
useradd -m exampleroot
usermod -aG sudo exampleroot
Here’s a brief explanation of the aforementioned commands:
- useradd creates a new user and the -m parameter creates a folder under the home directory for the user you created.
- The passwd command is for assigning a password to the new user. Remember that passwords you assign to the users should be complex and difficult to guess.
- usermod -aG sudo adds the newly-created user to the admin group.
After the user creation process, it is necessary to make some changes to the sshd_config file. You can find this file at /etc/ssh/sshd_config. Open the file with any text editor and make the following changes it:
PermitRootLogin line will prevent the root user from gaining remote access using SSH. Including exampleroot in the AllowUsers list grants necessary permissions to the user.
Finally, restart the SSH service using the following command:
sudo systemctl restart ssh
If that fails and you receive an error message, try the command below. This may differ based on the Linux distro you use.
sudo systemctl restart sshd
2. Changing the Default Port
The default SSH connection port is 22. Of course, all attackers know this and therefore, it is necessary to change the default port number to ensure SSH security. Although an attacker can easily find the new port number with a Nmap scan, the goal here is to make the attacker’s job more difficult.
To change the port number, open /etc/ssh/sshd_config and make the following changes to the file:
After this step, restart the SSH service again with sudo systemctl restart ssh. Now you can access your server using the port you just defined. If you are using a firewall, you must make the necessary rule changes there as well. On running the netstat -tlpn command, you can see that your port number for SSH has changed.
3. Block Access for Users With Blank Passwords
There may be users without passwords on your system that you might’ve created accidentally. To prevent such users from accessing the servers, you can set the PermitEmptyPasswords line value in the sshd_config file to no.
4. Limit Login/Access Attempts
By default, you can access the server by making as many password attempts as you want. However, attackers can use this vulnerability to brute-force the server. You can automatically terminate the SSH connection after a certain number of attempts by specifying the number of permitted password attempts.
For this, change the MaxAuthTries value in the sshd_config file.
5. Using SSH Version 2
The second version of SSH was released because of the many vulnerabilities in the first version. By default, you can enable the server to use the second version by adding the Protocol parameter to your sshd_config file. This way, all your future connections will use the second version of SSH.
6. Turning Off TCP Port Forwarding and X11 Forwarding
Attackers can try to gain access to your other systems by port forwarding through SSH connections. To prevent this, you can turn off the AllowTcpForwarding and X11Forwarding features in the sshd_config file.
7. Connecting With an SSH Key
One of the most secure ways to connect to your server is to use an SSH Key. When you use an SSH Key, you can access the server without a password. In addition, you can completely turn off password access to the server by changing the password-related parameters in the sshd_config file.
When you create an SSH Key, there are two keys: Public and Private. The public key is uploaded to the server you want to connect to and the private key is stored on the computer using which you will establish the connection.
Create an SSH key with the ssh-keygen command on your computer. Do not leave the Passphrase field blank and remember the password you entered here. If you leave it blank, you will only be able to access it with the SSH key file. However, if you set a password, you can prevent an attacker with the key file from accessing it. As an example, you can create an SSH key with the following command:
8. IP Restrictions for SSH Connections
Most of the time, the firewall blocks access using frameworks of its own standards and aims to protect the server. However, this is not always enough and you need to increase this security potential.
To do this, open the /etc/hosts.allow file. With the additions you make to this file, you can restrict the SSH permission, allow a specific IP block, or enter a single IP and block all remaining IP addresses with the deny command.
Below you will see some sample settings. After doing these, restart the SSH service as usual to save the changes.
The Importance of Linux Server Security
Data and data security issues are quite detailed and should be considered by all server administrators. Server security is a very sensitive issue as the main focus of attacks is web servers, and they contain almost all information about a system. Since most servers run on the Linux infrastructure, it is very important to be familiar with the Linux system and server administration.
SSH security is just one of the ways to protect servers. It is possible to minimize the damage you take by stopping, blocking, or slowing an attack. Apart from providing SSH security, there are many different methods you can implement to secure your Linux servers.