SSH refers to Secure Shells that helps in operating network services like remote login to the server, file transfer, and other servers related operation securely over an insecure or secure network.
The SSH default configuration is not enough to harden the SSH channel; we need to configure the additional setting to enhance its security at full.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related SSH queries.
In this context, we shall look into different methods of securing your ssh server.
As the root user has access to the entire services in the server and it's better not to risk the system allowing remote root login. It might be way too vulnerable if the password is exposed while using a brute-force attack or other hacking tool. So it is best practice to disable remote root login and stick with the regular user.
To disable the remote root login, open the sshd_config file:
$ sudo vim /etc/ssh/sshd_config
Then, set "PermitRootLogin" to no
This will Disable ssh root user login.
Some Linux distributions will create users without passwords so it might be vulnerable to permit ssh connection with empty passwords for remote access. So in order to disable this service we need to set "PermitEmptyPasswords" to no in the sshd_config file:
This will Disable empty password login.
It is highly recommended to use public key-based authentication as the SSH server supports different authentication processes. The hacker attempts different hacking tools to crack down the password using various methods like brute force attack. To prevent it from happening we use public key-based authentication.
First, we need to generate a public key and private key using the ssh-keygen command. To generate the key execute the following command. In the process you will be asked where to generate the ssh key, hit enter if you want to continue with the default. Then you will be asked a passphrase that refers to the password to your ssh key, uses a strong password that is the composition of a special character, alphabet, and numbers. Once the password is set your ssh key will be generated on .ssh dir in your home directory:
$ ssh-keygen -t rsa
This will generate ssh key pairs.
Before uploading public key, make sure you have .ssh dir in your remote server if not create one in your home dir then upload your public ssh key to the server using the following command:
$ cat .ssh/id_rsa.pub | ssh ubuntu@server 'cat >> .ssh/authorized_keys'
This will upload the public key to the server.
Now you can login as user ubuntu using public key over ssh protocol.
It is highly recommended to use ssh public key authentication for remote access to the server as passwords can be exposed through brute force attacks if a strong password is not used. To disable password authentication from the SSH server set the "PasswordAuthentication" value to no:
By default, SSH runs on port 22 in the system. If we change the SSH standard port it might add an extra layer of security by avoiding unusual traffic to the open port. So, to change the port no simple, open the sshd_config file and set your desirable unused port number in the port section.
The SSH server allows all the users to the server remotely but we can override the default setting and set only specific users to allow or deny remote access over SSH protocol. In a simple way having remote access to all system users login creating a possible way for the hacker to access our system.
To allow the specific users to login over SSH, add the following line in the sshd_config.
AllowUsers user1 user2 ubuntu
And similarly, you can restrict specific user and allow other to access over SSH by adding the following line of code.
DenyUsers root user3 user4
Usually, people often use simple passwords for their login like 123456, something123, so that they can remember passwords easily. This is why a brute force attack works perfectly as it goes dictionary wise to attempt the password check. So, to avoid that we must use a password containing special characters, uppercase and lowercase alphabet, numbers, and a minimum password length of 8 characters long.
1. Configure Idle Timeout Interval
Users often keep their SSH connection idle for a longer period so it will be high risk if someone tries to take over your SSH session and do as they like when users are not present at the moment. So we can set our login session timeout after a certain period of inactivity so that we need to re-login on session timeout. To set the idle timeout we need to set the "ClientAliveInterval" value in the sshd_config file. In the following example, we have set the timeout value 360 which is 6 minutes:
2. Use SSH Protocol 2
SSH has two variants of protocol SSH protocol 1 and SSH protocol 2, protocol 1 is the system default which is less secure than protocol 2 as protocol 2 applies bulk encryption, robust algorithms, and cryptographic checks. To switch to protocol 2 we need to add the following line in the sshd_config file:
3. Configure a Limit for Password Attempts
We can limit the number of password attempts to ssh login so after a limited number of attempts the connection will drop which will add an extra layer of security that prevents the system from the bot attack. To achieve this we need to set the "MaxAuthTries" directive value. Here, we have set its limit for 4 attempts:
This will Limit the ssh login attempt.
4. Disable Tunneling and Port Forwarding
If you won't be using tunneling and port forwarding service its is better to keep it disabled as a hacker might use these services to break through your system. To achieve it set the following directive value to no:
Finally, after everything is set up don't forget to restart your ssh server to apply the changes:
$ sudo systemctl restart ssh
This article covers methods of hardening SSH servers that help to avoid different security risks. With the advancements in technology, many business processes we carry out today heavily relies on the internet, online tools and connected devices. That is why taking the necessary precautions to ensure the network security has utmost importance. If an organization fails to secure their network, they are open to cyber attacks which can result in data breaches, losing digital assets, losing business and even going out of business.
How to secure SSH ?
If you want to make sure that your SSH server is impenetrable and secure, you should follow the steps below: