Securing your Self-Managed Linux OpenSSH Server
When it comes to securing your OpenSSH server, there are several recommended methods. This includes the following:
- Modify the SSH Port
- Restrict SSH by IP address
- Disable SSH password authentication
- Disable root SSH login
Note: Depending on the level of security that you need, you can implement a combination of the methods outlined.
Modify The SSH Port
Modifying the SSH port does little more than obscure the SSH service, however, it can help because external brute force attacks typically look for the default port of 22.
Ubuntu
Using the text editor of your choice, edit:
/etc/ssh/sshd_config
Locate the line beginning with Port and update with a port of your choosing that is not being consumed by any other service. Make sure the line is uncommented. If you are in our relaxed firewall group, use any available port. If you have not requested this change, you can use 4739:
Port 4739
Save the configuration change. Next, allow the port you set through the default Ubuntu firewall, ufw:
sudo ufw allow 4739
sudo ufw reload
Then restart the SSH daemon:
SystemD (Ubuntu 15.04 and newer)
systemctl restart sshd
Init (Prior to Ubuntu 15.04)
service sshd restart
CentOS
Using the text editor of your choice, edit:
/etc/ssh/sshd_config
Locate the line beginning with Port and update with a port of your choosing that is not being consumed by any other service. Make sure the line is uncommented. If you are in our relaxed firewall group, use any available port. If you have not requested this change, you can use 4739:
Port 4739
Save the configuration change. Next, allow the port you set through the default CentOS firewall, firewalld:
sudo firewall-cmd --zone=public --add-port=4739/tcp --permanent
Then restart the SSH daemon:
SystemD (CentOS 7 and newer)
systemctl restart sshd
Init (Prior to CentOS 7)
service sshd restart
Debian
Using the text editor of your choice, edit:
/etc/ssh/sshd_config
Locate the line beginning with Port and update with a port of your choosing that is not being consumed by any other service. Make sure the line is uncommented. If you are in our relaxed firewall group, use any available port. If you have not requested this change, you can use 4739:
Port 4739
Save the configuration change and restart the ssh service.
Then restart the SSH daemon:
SystemD (Debian 8 and newer)
systemctl restart sshd
Init (Prior to Debian 8)
service sshd restart
Restrict SSH by IP address
Restricting IP addresses that are allowed to connect to your SSH server is a highly recommended step to securing your server. One thing to note, however, is those with residential ISPs may find that their public IP changes and can cause problems.
Ubuntu/CentOS/Debian
In order to restrict SSH, edit:
/etc/hosts.allow
Add the following to allow multiple IPs:
sshd : 1.1.1.1, 2.2.2.2, 3.3.3.3
Now edit:
/etc/hosts.deny
with the following to deny everyone else from accessing SSH:
sshd: ALL
Disable SSH password authentication
Disabling password authentication is another highly recommended step. When password authentication is disabled, no one can brute force passwords because your SSH private key is utilized for authentication. It’s highly important that you do NOT make your SSH private key available to anyone else.
The very first step you will want to carry out here is generating an SSH public and private key pair. If you are on Windows, download PuTTY and use PuTTYGen. If you are on a Unix based system, run the following in your terminal application:
ssh-keygen -t rsa -C "[email protected]"
Ubuntu/CentOS/Debian
First, SSH to your server with your SSH user.
Next, upload your SSH private key to a file called:
~/.ssh/authorized_keys
Now, edit the SSH config at:
/etc/ssh/sshd_config
Replace this line:
#PasswordAuthentication yes
with the following:
PasswordAuthentication no
Also, find the line beginning with:
#AuthorizedKeysFile
and update with:
AuthorizedKeysFile /yourusername/.ssh/authorized_keys
You can repeat the above line and replace yourusername with any other Linux user that needs SSH access. They will need to update the authorized_keys file in their user path with their own key, however, as this is unique to each Linux user. If you are sharing a single Linux/SSH user with multiple people, which is not recommended, you would upload all SSH keys to the single file at ~/.ssh/authorized_keys new line delimited as indicated above.
Disable root SSH login
In general, it is highly recommended to not use the root user. Instead, each person with access to your server should have a unique user. Part of this is disabling remote root SSH access to your server.
Ubuntu/CentOS/Debian
First, SSH to your server with your SSH user.
Now, edit the SSH config at:
/etc/ssh/sshd_config
Replace the line beginning with:
PermitRootLogin yes
with the following:
PermitRootLogin no