10 Best Security Practices to Secure SSH Server in Linux
SSH is a TCP-based secure network connection protocol that is used for secure remote access to Linux servers. Users encrypt the remote connection to the server using the SSH protocol settings to improve the security of the communication between the server and the client in a public and insecure network. The Multi-functional SSH protocol is useful for various purposes, but its most important role is the asymmetric encryption of server-client communications, which uses pairs of public and private keys for this task.
The SSH protocol and its features are obvious to everyone, we have already familiarized you with the SSH protocol. most of the users have somehow benefited from SSH protocol features in their connections for the security of communication between the server and the client.
It can be said for sure that if you have purchased a Linux VPS, the first step you should take for the security of the Linux server is to install the SSH service on the Linux VPS because it is one of the most effective and basic security measures that has become a necessity in the insecure world of the Internet. But if security is very important to you, it is not enough to set up the SSH service on a Linux VPS, you must also secure the SSH server with some methods.
Although the SSH protocol tries to establish a secure connection with its capabilities, in the world of the Internet, you cannot rely on guaranteed security and ignore security risks; you must always consider security risks and Implemented security measures for Potential threats.
When connecting to a server via SSH, there may be security risks lurking in the root account of the Linux server. Using a public IP address increases the possibility of hacking and access to the root user’s password, and will lead to risks. Therefore, it is recommended to be familiar with the methods for securing the SSH server and do not rely on the SSH service alone. Familiarity with security methods in securing the SSH server in Linux is the subject of this article, which will certainly be useful to you. So read this article till the end.
10 useful security methods to improve SSH Server Security
There are different ways to secure SSH servers, we will discuss the best security methods.
Before using security methods, it is better to familiarize yourself with the default settings of the SSH server.
- To make changes in the SSH server settings, you must access the sshd_config file (located in /etc/ssh/), of course, having Root user privileges is a prerequisite for making changes in the ssh_config file.
- ssh_config is the SSH client configuration file found in /etc/ssh/.
- The user’s private and public keys as well as the client config can be found in the $HOME/.ssh/ directory.
- The default SSH port for accessing the server is set to port 22.
1. Changing the default SSH port
As we mentioned, SSH uses port 22 by default for its connections. As we and you know about the default SSH port, hackers also know about this port and they use the default SSH port to penetrate the server. Therefore, because port 22 is the target of hackers, changing the default SSH port is one of the security methods that prevent hackers from penetrating. To change the default SSH port, you need to access the contents of the sshd_config file located in the /etc/ssh/sshd_config directory with your favorite editor:
nano /etc/ssh/ssh_config
In the output of the previous command, find port 22 and change the default SSH port by removing the # before Port 22, and then save and close the file.
There is another method that may be simpler than the previous method, you can make changes without searching in the sshd_config file. For this purpose enter the following command as an example:
Include /etc/ssh/sshd_config.d/*.conf
Port 5922
Then restart the SSH service by running the following command:
sudo systemctl restart ssh
Then you can connect to Linux VPS with the port you set for SSH service. Should be mentioned that after making changes to the default SSH configuration, if you have a firewall, apply the changes to the firewall rule settings as well. To make sure the default SSH port is changed, you can run the following command:
netstat -tlpn
If you are using CentOS, the article How To Change SSH Port In CentOS 7 can guide you more on how to change the default SSH port.
2. Disabling SSH connection for the root user
Cyber attackers usually target the Root user to access the system, for this reason you can disable the Root user’s SSH access and create a new user with a complex and unguessable password. This method is one of the defensive methods to increase the security of SSH server communication. To create a user named testroot, you must create the following commands:
useradd -m testroot
passwd testroot
usermod -aG sudo testroot
Now it’s time to make changes in the sshd_config file. To do this, access the contents of the sshd_config file and apply the following changes:
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
AllowUsers testroot
By adding PermitRootLogin no to the sshd_config file, you prevent the Root user from accessing the Linux VPS through SSH, but by entering AllowUsers testroot, you grant the necessary privileges to the user you just created.
To apply the changes to the sshd_config file, restart the SSH service:
sudo systemctl restart ssh
Or
sudo systemctl restart sshd
3. Using the SSH key when trying to log in to the SSH server
In addition to entering a password in authentication, it is possible to use a public/private key when trying to log in to an SSH server. Authentication based on SSH keys to access the SSH server is a safer method compared to a password. However, we always recommend that you use a strong and complex password so that hackers cannot easily figure out your password, but to be sure, you can set the public/private key when accessing the SSH server. To set the public key, you must create a new key by running the following command:
ssh-keygen
After running the previous command, you must determine the path of public and private keys.
Output:
Generating public/private rsa key pair.
Enter file in which to save the key(/home/opera/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/opera/.ssh/id_rsa.
Your public key has been saved in / home/opera/.ss/id_isa.pub.
As you can see in the output, the public key is stored as “id_rsa.pub” and the private key as “id_rsa” in the /home/username/.ssh/ directory.
As a result, you were able to create a public key just as easily. Then you need to set authentication to log in to the SSH server based on the public key and Disable password-based authentication.
To disable password-based authentication when trying to log in to the SSH server, open the ssh_config file and find the line “PasswordAuthentication yes” remove the # before this statement and replace this line with “PasswordAuthentication no“.
Finally, you have successfully set up public key-based authentication to log in to the SSH server.
4. Blocking the connection of users with an empty password
To strengthen the security of accessing the server through SSH, one of the methods is to block the access of users who do not have a specific password. Sometimes you create random users or leave the password of users empty, which can fall into the trap of abuse by hackers and brute force attacks. Therefore, you can disallow the access of users who do not have a password to the SSH server; For this purpose, you need to access the content of the ssh_config file and make the following changes:
PermitEmptyPasswords no
5. IP Restrictions to access the SSH server
Under normal conditions, you will be able to connect to the SSH server from different IP addresses, but if you want to improve the security of the Linux VPS, you can allow only one IP address to connect to the SSH server. Also, in the firewall to protect the server, access to the server is allowed for a limited number of IP addresses. but this defensive measure should also be considered in improving server security for SSH connections.
Therefore, to disallow login to the SSH server for all IP addresses except a specific IP address, you need to open the ssh_config file and add the following command lines to it:
ListenAddress [desired IP address/ your machine IP]
6. Setting SSH2 protocol for SSH service
The SSH service should be set to the SSH2 protocol by default because SSH1 has many vulnerabilities and security problems, and the SSH2 protocol was introduced to solve these problems. For this reason, it is recommended to make sure that the SSH server is set to the SSH2 protocol. If the SSH service is not set to the SSH2 protocol, enter the following command in the sshd_config file:
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
7. Limiting attempts to log in to the SSH server
To prevent brute force attacks and Intrusions of attackers to the SSH server, limiting attempts to access the SSH server is a security method. The SSH service provides the possibility to block that user’s access to the server after a certain number of login attempts through the password.
To limit the number of times a user can attempt to access the SSH server, you need to make changes to the sshd_config file. For example, if you want to limit more than 3 attempts to login to the SSH server, enter the following command:
MaxAuthTries 3
8. Disabling X11 Forwarding and TCP Port Forwarding
The features of X11Forwarding and TCP Port Forwarding provide the conditions for the abuse of profiteers because hackers can access your system and data by hacking the SSH session or forwarding the port through SSH connections. Therefore, the smartest way is to disable X11 Forwarding and TCP Port Forwarding, for this purpose you need to edit the contents of the sshd_config file as follows:
X11Forwarding no
AllowTcpForwarding no
9. Using port knocking
Port knocking is a way to allow only legitimate users to access services on a server. Since the firewall closes the SSH port and no one can connect directly to the SSH port, the server runs a Knockd daemon that can change the firewall rule and temporarily open the SSH port for the user. The Knock Sequence is kind of like a password for the SSH port.
Only users who have permission to use Knock Sequence can use Knock to open the SSH port. Therefore, another useful method to secure the SSH server is to use Port Knocking, we have already taught how to use Port Knocking in Linux, you can use our article on using Port Knocking as your guide. As a result, Port knocking is a security layer for the SSH server that allows authorized users to connect to specific ports through a correct sequence of connection attempts. To better understand port knocking for SSH servers through iptables, consider the following example:
$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2
$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven
$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock
$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j door
10. Configuring Idle log-out Timeout
The purpose of limiting Idle Timeout is that if users stay idle on the server for more than a certain period and do not perform any activity, they will automatically log out of the SSH server. when the users connect to the server through SSH and perform their tasks and then forget to exit the SSH session, conditions are provided for abuse by attackers. So by setting such a limit you will take care of the SSH session and improve the security of the SSH server. To set Idle Timeout, you need to change the ssh_config file. For example, to set the idle timeout to 300 secs, enter the following command:
ClientAliveInterval 300
Therefore, by running the previous command, the user will be automatically logged out of the Linux VPS if there is no activity for more than 5 minutes (300 seconds) after SSH connection to the Linux VPS.
FAQ
Is the SSH service unreliable?
The SSH protocol ensures the security of your server in the public network by encrypting the communication between the client-server and other features; But in the world of technology and the Internet, no system connected to the Internet can be called 100% safe, unless we do not ignore important security and risk issues and try to improve the security of your system by using security practices.
Conclusion
The server is the box of important information and data of the users’ system, and securing the server is one of the priorities and very important issues of the server administrators. Brute force attacks and hackers are always looking for the weak and vulnerable points of the server to access important information of the server, so it is necessary to know and use security methods to increase the security potential in managing a server. Server administrators are always looking for measures to minimize brute force attacks on the server and the unpleasant consequences of misuse of important information on the server. In this article, we discussed various methods to secure the SSH server, including the following:
- Changing the default SSH port
- Disabling SSH connection for the root user
- Using an SSH key when attempting to login to an SSH server
- Blocking the connection of users with an empty password.
- IP Restrictions in accessing the SSH server
- Setting SSH service on protocol 2
- limiting SSH server login attempts
- Disabling X11 Forwarding and TCP Port Forwarding
- Using port knocking
- Configuring Idle log-out Timeout
This article is a useful guide for users who intend to protect the SSH server from security risks. we have collected 10 of the best methods to secure the SSH server, by implementing the methods we presented in this article, the security of your Linux servers will be improved to the optimum level, and it will be difficult for attackers to access the SSH server. After the necessary configurations in the SSH service, it is recommended to restart the SSH service by running the service ssh restart command. We hope that the Content presented in this article was informative and helpful for you.