How-To Guides & Tutorials

How to Harden Your Production SSH Server for Maximum Security


Sun Mar 31 2024

SSH (Secure Shell) is the lifeline for remote administration of Linux servers. However, it's also a prime target for attackers. Securing your SSH setup is paramount to maintaining the integrity and confidentiality of your system. Let's transform your basic instructions into a powerhouse of SSH security knowledge!

The Bedrock: Accessing Your SSH Configuration

Your SSH configuration file, typically located at /etc/ssh/sshd_config, is the command center for SSH security. Open it with root privileges using your editor of choice:

1sudo nano /etc/ssh/sshd_config

Enforce Modern Security: SSH Protocol 2

Ditch the outdated SSH Protocol 1! Mandate the use of the more secure Protocol 2:

1protocol 2

Obscure Your Port: Change the Default

Automated bots relentlessly scan port 22 (the default SSH port). Camouflage your SSH server by choosing an uncommon high-numbered port (within 1024-65535):

# Replace with your chosen port

1Port 38521 
# Don't Forget: Update your firewall rules to allow connections on this new port.

Shut the Door on Root Logins

Direct root logins via SSH are a major vulnerability. Disable them decisively:

1PermitRootLogin no

Best Practice: Create a regular user account and use sudo for administrative tasks once connected.

The Gold Standard: Public Key Authentication

Passwords are inherently less secure than SSH keys. Enable key-based authentication

1PubkeyAuthentication yes

1PasswordAuthentication no

Key Generation: If you haven't already, generate an SSH key pair on your client machine using the ssh-keygen command. Securely transfer your public key to the server.

Control Access: AllowUsers and AllowGroups

Fine-tune who can connect. Restrict SSH access to specific users or groups:

1AllowUsers john_admin sarah_dev

1AllowGroups sysadmins

Defense in Depth: Additional Safeguards

  • Fail2Ban: This service automatically bans IP addresses after multiple failed login attempts, thwarting brute-force attacks.
  • Idle Timeouts: Disconnect idle sessions to prevent misuse (ClientAliveInterval and ClientAliveCountMax).
  • X11 Forwarding: Disable unless absolutely required (X11Forwarding no).
  • Rate Limiting: Restrict the number of concurrent SSH connections.
  • Log Monitoring: Regularly review SSH logs for suspicious activity.

Apply and Reload: Restart the SSH Service

For your changes to take effect, restart SSH:

1sudo systemctl restart sshd

Important Reminders

  • Test Thoroughly! Before logging out, open a new SSH session to confirm your changes work as expected and you haven't locked yourself out.
  • Stay Updated: Regularly update your OpenSSH package to benefit from the latest security fixes.

You've done it! Your SSH server is now fortified against common attack vectors. Remember, security is an ongoing process. Stay informed and revisit your SSH configuration periodically to ensure it maintains its robust defenses. If you still need help get in touch for a free technical consultation.

Or chat with our experts on whatsApp +23414536000