Self-Managed Linux Server SSH Security Recommendations

ssh
linux

#1

Securing your Self-Managed Linux OpenSSH Server

When it comes to securing your OpenSSH server, there are several recommended methods. This includes the following:

  • Modify the SSH Port
  • Restrict SSH by IP address
  • Disable SSH password authentication
  • Disable root SSH login

Note: Depending on the level of security that you need, you can implement a combination of the methods outlined.

Modify The SSH Port

Modifying the SSH port does little more than obscure the SSH service, however, it can help because external brute force attacks typically look for the default port of 22.

Ubuntu

Using the text editor of your choice, edit:

/etc/ssh/sshd_config

Locate the line beginning with Port and update with a port of your choosing that is not being consumed by any other service. Make sure the line is uncommented. If you are in our relaxed firewall group, use any available port. If you have not requested this change, you can use 4739:

Port 4739

Save the configuration change. Next, allow the port you set through the default Ubuntu firewall, ufw:

sudo ufw allow 4739
sudo ufw reload

Then restart the SSH daemon:

SystemD (Ubuntu 15.04 and newer)

systemctl restart sshd

Init (Prior to Ubuntu 15.04)

service sshd restart

CentOS

Using the text editor of your choice, edit:

/etc/ssh/sshd_config

Locate the line beginning with Port and update with a port of your choosing that is not being consumed by any other service. Make sure the line is uncommented. If you are in our relaxed firewall group, use any available port. If you have not requested this change, you can use 4739:

Port 4739

Save the configuration change. Next, allow the port you set through the default CentOS firewall, firewalld:

sudo firewall-cmd --zone=public --add-port=4739/tcp --permanent

Then restart the SSH daemon:

SystemD (CentOS 7 and newer)

systemctl restart sshd

Init (Prior to CentOS 7)

service sshd restart

Debian

Using the text editor of your choice, edit:

/etc/ssh/sshd_config

Locate the line beginning with Port and update with a port of your choosing that is not being consumed by any other service. Make sure the line is uncommented. If you are in our relaxed firewall group, use any available port. If you have not requested this change, you can use 4739:

Port 4739

Save the configuration change and restart the ssh service.

Then restart the SSH daemon:

SystemD (Debian 8 and newer)

systemctl restart sshd

Init (Prior to Debian 8)

service sshd restart

Restrict SSH by IP address

Restricting IP addresses that are allowed to connect to your SSH server is a highly recommended step to securing your server. One thing to note, however, is those with residential ISPs may find that their public IP changes and can cause problems.

Ubuntu/CentOS/Debian

In order to restrict SSH, edit:

/etc/hosts.allow

Add the following to allow multiple IPs:

sshd : 1.1.1.1, 2.2.2.2, 3.3.3.3

Now edit:

/etc/hosts.deny

with the following to deny everyone else from accessing SSH:

sshd: ALL

Disable SSH password authentication

Disabling password authentication is another highly recommended step. When password authentication is disabled, no one can brute force passwords because your SSH private key is utilized for authentication. It’s highly important that you do NOT make your SSH private key available to anyone else.

The very first step you will want to carry out here is generating an SSH public and private key pair. If you are on Windows, download PuTTY and use PuTTYGen. If you are on a Unix based system, run the following in your terminal application:

ssh-keygen -t rsa -C "[email protected]"

Ubuntu/CentOS/Debian

First, SSH to your server with your SSH user.

Next, upload your SSH private key to a file called:

~/.ssh/authorized_keys

Now, edit the SSH config at:

/etc/ssh/sshd_config

Replace this line:

#PasswordAuthentication yes

with the following:

PasswordAuthentication no

Also, find the line beginning with:

#AuthorizedKeysFile

and update with:

AuthorizedKeysFile /yourusername/.ssh/authorized_keys

You can repeat the above line and replace yourusername with any other Linux user that needs SSH access. They will need to update the authorized_keys file in their user path with their own key, however, as this is unique to each Linux user. If you are sharing a single Linux/SSH user with multiple people, which is not recommended, you would upload all SSH keys to the single file at ~/.ssh/authorized_keys new line delimited as indicated above.

Disable root SSH login

In general, it is highly recommended to not use the root user. Instead, each person with access to your server should have a unique user. Part of this is disabling remote root SSH access to your server.

Ubuntu/CentOS/Debian

First, SSH to your server with your SSH user.

Now, edit the SSH config at:

/etc/ssh/sshd_config

Replace the line beginning with:

PermitRootLogin yes

with the following:

PermitRootLogin no